Data Breach: DermCare Management, Option Care Health, and Aetna

What happened

Three healthcare-related organizations recently disclosed separate data breach incidents involving unauthorized access or disclosure of sensitive information. DermCare Management said it detected suspicious activity on February 26, 2025 and later determined that unauthorized access to its network occurred between February 14 and February 26, 2025. The company said it engaged data review specialists to determine which individuals were affected and what information was involved. Because of the complexity of the data, DermCare Management said it was not until March 2, 2026 that it identified the affected individuals, determined the exposed data types, and obtained enough information to issue notification letters. The company confirmed the exposed or acquired information included names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information. 

Aetna disclosed two separate 2025 incidents tied to third-party mailing errors rather than unauthorized access to its systems. The company reported the incidents to the HHS Office for Civil Rights as breaches affecting 10,888 and 775 individuals, for a combined total of 11,663 people. According to the disclosure, the issue involved letters sent on behalf of two health plans that may have inadvertently included the name of another individual who was not a member of that recipient’s health plan. CVS Health, Aetna’s parent company, said the information disclosed was minimal. 

Option Care Health said it identified unauthorized access to an employee’s email account and determined that access occurred between February 6 and February 9, 2026. The company said the account was reviewed and, on February 26, 2026, it confirmed that the exposed information included names, dates of birth, medical record numbers, and treatment information. The incident was reported to regulators, but the total number of affected individuals has not yet been disclosed. 

Who is affected

The direct impact falls on individuals whose information was involved in the three incidents disclosed by DermCare Management, Aetna, and Option Care Health. Aetna is the only one of the three that publicly disclosed affected counts in the source article, reporting a combined total of 11,663 affected individuals across its two mailing incidents. DermCare Management and Option Care Health both said sensitive personal or medical information was involved, but neither disclosed a total number of affected individuals in the article. 

Why CISOs should care

These incidents matter because they show three different breach paths affecting healthcare data: unauthorized network access, unauthorized email access, and third-party mailing errors. They also show why disclosures may surface long after the original event, particularly when organizations need extended review time to identify affected individuals, confirm what data was involved, and prepare legally sufficient notifications. 

3 practical actions

1. Differentiate breach paths clearly: Scope whether an incident involves network compromise, account compromise, or third-party disclosure errors, because each path creates different containment and notification requirements. 
2. Plan for extended data review timelines: Build response plans that account for the possibility that complex datasets may take months to review before affected individuals and exposed data types can be confirmed. 
3. Pressure-test third-party controls: Review vendors involved in mailings, communications, and data handling, since one of the disclosed incidents stemmed from a third-party mailing error rather than a system intrusion. 

For more news about incidents involving exposure of personal and medical information, click Data Breach to read more.