QualDerm Data Breach Exposes Information of 3.1 Million People Across 17 States

What happened

A QualDerm data breach exposed information of 3.1 million people across 17 states after an unauthorized actor accessed a limited number of systems between December 23 and December 24, 2025. QualDerm, a U.S. dermatology management services provider supporting more than 150 practices, said it became aware of the intrusion on December 24, 2025 and began notifying affected individuals this week. The company said the attacker removed certain information stored within the affected systems. Reported compromised data may include patient names, email addresses, dates of birth or death, doctor names, medical record numbers, diagnosis and treatment information, health insurance information, and government-issued identification information such as driver’s license numbers. The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights on February 22. 

Who is affected

The direct exposure affects 3,117,874 individuals tied to QualDerm’s operations across 17 states. The impacted information varies by person, but the company said the exposed data may include personal, medical, insurance, and government-issued identification information connected to patients. 

Why CISOs should care

This incident is significant because it involves a large-scale compromise of healthcare-related information across a multi-state provider network. For CISOs, the operational relevance is that the exposed data spans identity, medical, and insurance records, creating a breach scenario that affects both patient data handling and broader enterprise security response obligations. 

3 practical actions:

1. Validate the full data-impact picture: Confirm exactly which categories of patient, insurance, and identification data were present on the affected systems so leadership is working from a precise exposure scope. 
2. Align breach response with patient-facing operations: Ensure notification, support, and monitoring processes are coordinated across affected practices because the incident reaches a large patient population across multiple states. 
3. Review security and data protection changes already underway: Press for concrete follow-through on security improvements and policy reviews after the incident, especially where sensitive medical and insurance information is involved. 

For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.