QualDerm cyberattack triggers 3.1 million patient breach notices across 17 states

The letter arrived in late February, printed on the familiar stationery of a neighborhood dermatology clinic. Buried in the dense legal language was a jarring admission: Hackers had broken into computer systems tied to the practice over Christmas, and information about the patient’s skin cancer diagnosis, treatments and insurance was now in unknown hands. The clinic itself was not named as the source of the breach. Instead, the notice pointed to an unfamiliar company in Tennessee: QualDerm Partners.

That letter is one of an estimated 3.1 million notifications now going out across the country after a cyberattack on QualDerm, a private company that manages dermatology practices in 17 states. The incident—discovered on Dec. 24, 2025, the company says—is among the largest U.S. health data breaches reported in the past year and highlights the growing risks as private equity-backed companies consolidate specialty medical practices under shared digital infrastructure.

What QualDerm has disclosed

In a public Notice of Data Privacy Event posted on its website, QualDerm said it “detected unauthorized activity on certain systems within our network” on Dec. 24. A forensic investigation, the company said, later determined “an unauthorized actor gained access to a limited number of systems within our network between December 23, 2025, and December 24, 2025, and removed certain information stored within those systems.”

The company, based near Nashville, described the information involved as highly variable from person to person. For many, it may include:

• name and date of birth
• doctor’s name and medical record number
• email address
• treatment details and diagnosis information

In some cases, dates of death and health insurance information were involved. For “a very small number of individuals,” QualDerm said, the compromised data also may have included “government-issued identification information, such as a driver’s license number.”

QualDerm said it has “no evidence of any attempted or actual misuse of information” at this time. Still, the company is offering affected individuals complimentary credit monitoring and identity protection services “out of an abundance of caution.”

A brief intrusion, a broad reach

The breach window was brief—roughly 48 hours beginning Dec. 23—but the reach is broad. QualDerm and its affiliated platform, which includes Pinnacle Dermatology, support 158 practices in 17 states and more than 350 providers. The organization says its clinics handle about 120,000 patient visits every month.

Notification letters to patients began going out Feb. 22, 2026, nearly two months after the intrusion was detected. QualDerm said it also notified federal law enforcement and “required regulatory agencies.” The company reported the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights, telling the agency that “exactly 3,117,874 individuals were affected,” according to a report by TechRadar Pro.

Questions about federal posting and transparency

As of early March, however, the breach did not yet appear on the public HHS online list that tracks health data incidents affecting 500 or more people. That list, often called the “wall of shame,” is a key tool for patients and researchers trying to track trends in health privacy.

The lag does not necessarily mean QualDerm failed to report; HHS records often take time to process and publish. But the absence of such a large incident on the federal list has raised questions among privacy watchers about transparency and timeliness.

The company has not publicly disclosed how the attackers gained access or whether ransomware was involved. No criminal group has publicly claimed responsibility, and there have been no reports of the data being posted on popular leak sites known to host stolen medical records.

State filings and legal scrutiny

State filings provide additional detail on the scale. A breach report filed with the Texas attorney general on Feb. 24 lists 174,837 Texas residents affected. A sample submission to the California attorney general’s office uses Dec. 23, 2025, as the breach date, aligning with the start of the intrusion window. The Oregon Department of Justice has been notified that 3,117,874 individuals in total were impacted.

Several law firms have announced investigations and are soliciting potential plaintiffs for class-action lawsuits. In a news release, San Francisco-based Schubert Jonckheer & Kolbe LLP said that “although the breach began in December 2025, QualDerm did not begin notifying impacted individuals until around February 2026, which may have violated state and federal laws.”

Under the federal Health Insurance Portability and Accountability Act, or HIPAA, health care providers and their business associates must notify HHS and affected individuals “without unreasonable delay” and no later than 60 days after discovering a breach that affects 500 or more people. QualDerm says it discovered the incident on Dec. 24 and began sending letters on Feb. 22, a period of about 60 days.

Some state laws impose additional requirements. Oregon’s Consumer Information Protection Act and Oregon Consumer Privacy Act, which took full effect for enforcement on Jan. 1, 2026, give the state attorney general broad authority to seek civil penalties for violations involving residents’ personal data. Texas, California and other states also require prompt notifications and, in some cases, minimum security practices to protect consumer information.

Legal filings and public statements from plaintiff firms indicate they are exploring claims of negligence and violations of these laws. Typical allegations in such cases center on whether the organization maintained “reasonable” cybersecurity safeguards in light of the sensitivity and volume of data it held.

Consolidation, centralized systems, and bigger targets

For patients, the breach underscores how health information about a visit to a local dermatologist may be stored and managed far from the clinic where they receive care.

QualDerm describes itself as a “skin and aesthetics wellness family” formed by bringing together QualDerm Partners and Pinnacle Dermatology into a single brand. It is backed by private equity firm BayPine and fits into a broader trend of dermatology and other specialties being rolled up into large, multi-state platforms.

These management companies handle back-office functions such as billing, scheduling, marketing and information technology, often leaving local practices to retain their names and doctors. That structure can offer economies of scale and resources that small practices might struggle to afford on their own, including investments in electronic medical records systems and security tools. At the same time, centralizing data creates high-value targets: A successful attack on one corporate hub can cascade across dozens of clinics and millions of patients.

Why dermatology records can be especially sensitive

QualDerm is not new to data security incidents. A 2020 report from the Indiana attorney general’s office lists an earlier QualDerm breach that occurred on Nov. 26, 2019, and led to notifications on March 17, 2020. That event affected 109 individuals in total, including one Indiana resident. The company did not provide public detail in that state summary about the cause or type of information involved.

Experts say dermatology records, like other medical files, can be especially sensitive. Diagnoses of melanoma or other skin cancers, autoimmune disorders that manifest on the skin, sexually transmitted infections and cosmetic procedures all can carry stigma or be used to infer other personal details. Health insurance information, combined with names and dates of birth, can be used in medical identity theft schemes to fraudulently obtain care or prescription drugs.

Security researchers and law enforcement have documented cases in which cybercriminals use knowledge of a person’s medical history to craft convincing phishing emails or to attempt blackmail. Even if financial identity theft is prevented through credit monitoring, the exposure of intimate health details cannot be reversed.

What patients can do next

QualDerm said it has taken steps to secure its network since the December incident, including working with third-party cybersecurity specialists and “implementing additional safeguards to enhance the security of our systems.” The company has not publicly described those measures in detail.

Patients whose information may have been involved are being advised to:

• watch for suspicious emails or communications referencing their dermatology care
• monitor financial and insurance accounts
• consider enrolling in the credit monitoring and identity protection services being offered

Regulators at HHS and in state attorneys general offices will decide whether further action is warranted once their reviews are complete.

The hackers, according to QualDerm’s own timeline, were in and out of its systems in roughly two days. For the millions of people whose medical histories were copied during that window, the effects of that intrusion may linger far longer than the holiday weekend when it occurred.