The health center notified the Attorney General of Maine and published a notice online.
Brevard Skin & Cancer Center, based out of Florida, has notified the Attorney General of Maine and the public of a data breach. The breach reportedly impacted 55,500 individuals.
According to the notice, Brevard discovered a breach had taken place on or around October 14th, 2025. Through an investigation, Brevard further found that the breach took place on September 28th, 2025. Although the notice states the breach was discovered in October, when filed with the Attorney General, Brevard stated it was discovered on December 9th.
In response to the incident, Brevard stated, “Please be aware that this incident will not disrupt or interfere with the care you received or will receive at Brevard, and we remain committed to meeting your healthcare needs.”
Brevard said that for impacted individuals, the following data may have been viewed or accessed: names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, diagnosis and clinical information, and billing and claims information. They currently do not believe any financial information was accessed.
As a result of the incident, Brevard says they worked with their IT and cybersecurity team and legal counsel to investigate the incident and improve security protections. Complimentary credit monitoring service is being provided. Although the notice is available online, it’s dated that patients will be notified beginning December 26th.
Brevard generally provides care across Brevard County, Florida, which has a population of about 630,000. While the practice likely serves people outside of the county, a breach of 50,000 is fairly significant. As breaches increase, the impact can also increase; when someone has been impacted by multiple breaches, it’s more likely that various pieces of information have been accessed, allowing malicious actors to create a better profile of victims. Once a threat actor has a strong profile of an individual, it can be easier to commit fraud or theft. Outside of the threat to patients, breaches can also erode patient trust, cause operational challenges (especially as new procedures are implemented), and present financial challenges due to penalties or lawsuits.
Every state has different laws regarding the disclosure of data breaches. Maine requires organizations to disclose data breaches if it impacts Maine residents, so even though Brevard is based in a different state, they must still comply. The HHS also requires notification within 60 calendar days if a breach impacts over 500 individuals. Brevard may still be gathering information for the HHS, or the HHS may simply be processing the report. Either way, both the Maine AG and the HHS will eventually be notified.
It’s unclear why there is conflicting information about when the breach was discovered. It may have been initially discovered in October, and the investigation may have lasted until December.