Millions possibly affected by data breach at dermatology giant QualDerm

Dermatology management services giant QualDerm suffered a cyberattack in late 2025 which saw it lose sensitive personal and healthcare data on more than three million people.

The company is now notifying affected individuals by mail, noting in a breach notification letter that between December 23 and 24, 2025, a threat actor managed to access “a limited number of systems” and pull “certain information” stored within.

That data includes a combination of people’s names, email addresses, dates of birth, their doctor’s name, medical record numbers, diagnosis and treatment information, health insurance information, and government-issued ID numbers or driver’s license numbers. Not every individual lost all this information, though.

No attribution yet

This information is highly sensitive and can be used for devastating effect. For example, a threat actor can identify contact information of a CEO in a large company, and use a convincing phishing lure to gain access, drop ransomware, and demand payment. They can also extort people who are trying to keep their medical conditions private.

QualDerm also reported the breach to the US Department of Health and Human Services (HHS) Office for Civil Rights, whom it told that exactly 3,117,874 individuals were affected.

At the moment of writing, there is no evidence of the data being abused in real-life attacks, and no threat actors have claimed responsibility for the breach just yet. We also don’t know if the attackers reached out to QualDerm asking for ransom in exchange for deleting the files. The company also did not say how the crooks broke in.

QualDerm provides administrative, financial, and IT services to affiliated skin care practices, serving dermatologists and clinics across 17 states, supporting over 150 practices and treating more than 120,000 patients monthly.

Via Cybernews