QualDerm Partners, LLC, a Tennessee-based dermatology management company that provides operational, IT, and insurance support to 158 dermatology and skin care practices across 17 states, has disclosed a data breach that exposed the personal and medical information of approximately 3,117,874 individuals. The breach occurred in late December 2025 and notification letters began reaching affected patients in February 2026.
What Happened
On December 24, 2025, QualDerm Partners detected unauthorized activity on certain systems within its network. A third-party cybersecurity firm was engaged to investigate, and the forensic analysis determined that between December 23 and December 24, 2025, an unauthorized actor gained access to a limited number of systems and exfiltrated data.
The Oregon Attorney General was among the state regulators notified of the breach, which affected a total of 3,117,874 individuals nationwide, including at least 174,837 Texas residents. Notification letters were mailed to affected individuals beginning on February 22, 2026 — approximately two months after the breach occurred.
What Data Was Compromised
The type of data exposed varies by individual. QualDerm confirmed the breach may have included:
- Full names and dates of birth/death
- Email addresses
- Doctor names and medical record numbers
- Diagnoses and treatment information
- Health insurance information
- For a small subset of individuals: government-issued identification (e.g., driver's license numbers)
The inclusion of detailed medical information — diagnoses, treatments, and health insurance data — creates a significantly elevated risk beyond typical data breaches. This combination of PHI (protected health information) and personal identifiers enables highly targeted attacks including medical identity theft, fraudulent insurance claims, and sophisticated phishing scams impersonating healthcare providers.
Notification Timeline Concerns
Multiple law firms investigating the breach have noted that although the unauthorized access occurred in December 2025, affected individuals were not notified until approximately two months later, in February 2026. Under HIPAA's Breach Notification Rule, covered entities and business associates are generally required to notify affected individuals within 60 days of discovering a breach. Whether QualDerm met this deadline is a subject of ongoing legal scrutiny.
Company Response
QualDerm Partners stated it is reviewing its data security policies, procedures, and protocols in response to the incident. The company said no misuse of patient data has been identified to date, and has offered complimentary credit monitoring and identity theft protection services to all affected individuals.
Legal Actions
Several law firms have launched investigations into the breach and are exploring potential class action lawsuits on behalf of affected patients. The exposure of medical records and health insurance information from a large, multi-state healthcare network raises significant HIPAA compliance questions and creates a long-term risk window for affected individuals.
Context: Healthcare Sector Under Siege
The QualDerm breach is one of several multi-million-record healthcare incidents confirmed in early 2026. TriZetto Provider Solutions, a healthcare IT business associate, disclosed a comparable breach affecting over 3.4 million individuals around the same period. Healthcare organizations remain among the most targeted sectors for data theft due to the high value of medical records on criminal marketplaces — health records command significantly more than financial records due to the rich combination of PII, PHI, and insurance data they contain.
Patients who received a notification letter from QualDerm Partners should enroll in the offered credit monitoring service, monitor their explanation of benefits (EOB) statements for unfamiliar claims, and be alert for phishing attempts that may reference their dermatology care or health insurance provider.