Two separate cyber incidents in early 2025 compromised sensitive medical and personal data across multiple states.
Anne Arundel Dermatology, a multi-state medical practice specializing in skin care, suffered two major data breaches, first on February 14, 2025, and again on May 13, 2025. Combined, the breaches exposed personal and medical data belonging to approximately 1.9 million individuals. While the official Texas report listed 1,862 affected individuals in that state alone, the total impact spans multiple regions.
The compromised information includes names, dates of birth, addresses, health insurance details, and other sensitive medical data. The incident was formally reported to attorneys general in California, Texas, and Vermont in mid-July 2025 and disclosed to the U.S. Department of Health and Human Services as affecting 1,905,000 individuals.
The exposed records contained both personally identifiable information (PII) and protected health information (PHI), subjecting the incident to HIPAA and various state-level breach notification requirements. The timing of the breaches, occurring months apart, has raised questions about whether they were part of a sustained intrusion or separate incidents.
Anne Arundel Dermatology issued individual notices via mail and email beginning in July 2025. Public filings have not specified whether affected individuals are being offered services such as credit monitoring or identity theft protection, but patients are advised to monitor their accounts and report suspicious activity.
Anne Arundel Dermatology’s public response has focused on notifying patients and providing general guidance on safeguarding personal and financial information. Individuals were encouraged to monitor credit reports, health insurance claims, and watch for phishing attempts. As of now, the company has not commented publicly on the breach’s cause, duration, or whether law enforcement is involved.
PHI refers specifically to medical and health-related data tied to an individual, such as treatment history or insurance records. PII includes broader personal details like names, addresses, or Social Security numbers. This breach involved both categories.
Under HIPAA and state breach notification laws, providers must report breaches to the U.S. Department of Health and Human Services and notify affected individuals in a timely manner, usually via mail or email.
Yes. Individuals may join class action lawsuits or pursue legal remedies depending on the circumstances and local privacy laws. In this case, affected individuals are being invited to join a lawsuit.
Signs may include unexpected medical bills, unfamiliar entries on credit reports, changes in insurance claims, or phishing attempts via phone or email. Regular monitoring can help detect misuse early.
Yes. The healthcare sector is often targeted due to the high value of medical data on the black market, which can be used for identity theft, insurance fraud, or extortion.