Healthcare management services provider QualDerm Partners has disclosed a major data breach impacting more than 3.1 million individuals, following a cyberattack on its internal systems. The incident, which occurred in December 2025, involved unauthorized access to the company’s network for a brief period of approximately two days.
According to the company, attackers were able to access and extract data from a limited number of compromised systems during the intrusion. The breach has resulted in the exposure of highly sensitive information, including names, addresses, dates of birth, email addresses, and medical record details. In addition, the stolen data also includes treatment and diagnosis information, doctor names, and health insurance details, raising serious concerns around patient privacy and identity theft risks.
In some cases, even more sensitive information such as government-issued identification data and dates of death may have been compromised. The scale and nature of the data involved make this breach particularly significant, as it includes both personally identifiable information (PII) and protected health information (PHI).
QualDerm detected the unauthorized activity on December 24, 2025, and responded by activating its incident response protocols, securing its systems, and notifying law enforcement and relevant regulatory authorities. The company has stated that its investigation is ongoing and that notifications are being sent to affected individuals as they are identified.
The breach has been officially reported to the US Department of Health and Human Services, which recorded that 3,117,874 individuals were impacted. As part of its response, QualDerm is offering 12 months of free identity theft protection and credit monitoring services to those affected.
Headquartered in Tennessee, QualDerm Partners provides management services to over 150 dermatology and skin care practices across 17 U.S. states. The incident highlights the growing cybersecurity risks within the healthcare sector, where large volumes of sensitive patient data make organizations a prime target for cyberattacks.
