On February 26, 2025, DermCare Management identified suspicious activity on its systems, later confirming that an unauthorized actor may have copied protected health information (PHI) from its network.
DermCare Management, the business associate for more than 70 skincare practices, detected unusual activity on its computer systems on February 26, 2025. After securing its network, the company launched an internal investigation and, by March 3, confirmed that an unauthorized actor may have exfiltrated patient data.
The compromised information includes personally identifiable information (PII) and PHI such as Social Security numbers, driver’s license numbers, financial account details, medical records, and health insurance information. DermCare disclosed the breach to the U.S. Department of Health and Human Services on May 2, 2025.
Learn more: What is the difference between PII and PHI?
The following affiliated practices were affected by the DermCare breach:
According to the Berman Skin Institute public notice, “Based on the information known at this time, the types of information potentially affected by this event may include individuals’ Social Security number, driver’s license number, financial account information, medical information, and health insurance information. Not all patients are impacted, and impacted information per individual may vary.”
DermCare has set up a dedicated helpline at 833-998-7517, available Monday through Friday, 9 a.m. to 5 p.m. EST, to assist affected individuals. The company is also offering resources to help individuals obtain free credit reports, place fraud alerts, and freeze credit if necessary.
A business associate is any third-party organization that provides services or operations involving the processing of access to PHI on behalf of a covered entity, such as a hospital, clinic, or health plan. These vendors include those that handle billing, IT, data storage, or management services, like DermCare Management.
Business associates must sign a business associate agreement (BAA) that outlines how they will secure PHI per HIPAA standards. They are directly liable for HIPAA violations and can face hefty fines for violations. Since such companies usually serve several healthcare providers, a breach at one point affects several systems and practices.
Since PHI and financial data are compromised, affected individuals face a higher risk of identity theft and fraud. Healthcare organizations, particularly those handling sensitive dermatological and surgical information, must improve their cybersecurity measures to prevent unauthorized data access in the future.
Related: HIPAA Compliant Email: The Definitive Guide
HIPAA law requires business associates, like DermCare Management to safeguard individuals’ PHI and only use it for authorized purposes. Furthermore, HIPAA violations can result in severe penalties, including, fines and legal action.
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability. Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.