U.S. Dermatology Partners (USDP), one of the largest dermatology practices in the United States, has begun notifying patients of a data breach that occurred in June 2024. The incident, now officially reported to federal regulators as affecting 13,717 individuals, has been linked to the BianLian ransomware gang.
According to its public notice, USDP detected a network disruption on June 19, 2024. An investigation confirmed that an unauthorized party had accessed its network and transferred certain files to an external location on that same day. However, the comprehensive review to determine what information was in the stolen files was not completed until nearly ten months later, on April 2, 2025. USDP began mailing notification letters to affected individuals on May 30, 2025, almost a full year after the initial breach.
U.S. Dermatology Partners, which operates as Oliver Street Dermatology Management, LLC, serves over two million patients annually across more than 100 locations in eight states. The compromised information is extensive and varies by individual, but may include:
While USDP’s notice attributes the breach to an "unauthorized party," reports have linked the incident directly to the BianLian ransomware group, which claimed responsibility in June 2024 and subsequently leaked 300 GB of stolen data. Further complicating the matter, the Black Basta ransomware group also claimed to have breached USDP in September 2024.
Adding to the complexity, the entity is listed on the HHS portal as a "Business Associate," not a "Healthcare Provider." This suggests that Oliver Street Dermatology Management, LLC may function as a management services organization for the various USDP-branded clinical practices, creating a complex liability chain under HIPAA.
This breach is significant due to the extreme delay in notification and the sensitive nature of the exposed protected health information (PHI) and personally identifiable information (PII). The nearly year-long gap between the incident and patient notification raises serious questions about compliance with the HIPAA Breach Notification Rule, which mandates notification no later than 60 days following the discovery of a breach. The exposure of SSNs, financial data, and detailed medical histories places victims at a high risk of identity theft and financial fraud.
In its notice, U.S. Dermatology Partners stated it “quickly took steps to secure our network” and that it is “unaware of any misuse of patients’ information.”
Multiple law firms, including Strauss Borrelli PLLC and Goldenberg Schneider, LPA, have already announced investigations into the breach. These firms are exploring potential class-action lawsuits, citing the delay in notification and the failure to adequately protect sensitive patient data.
Affected individuals are strongly urged to monitor their financial accounts, credit reports, and Explanation of Benefits statements for any signs of fraud. Given the severity of the exposed data, placing a fraud alert or credit freeze with the major credit bureaus is also recommended. USDP will likely face significant regulatory scrutiny from the HHS Office for Civil Rights (OCR) over its delayed notification timeline and the circumstances of the security incident.
A ransomware attack is a type of cyberattack where malicious software encrypts a victim's files or systems, making them inaccessible. The attackers then demand a ransom payment, often in cryptocurrency, in exchange for the decryption key. Many modern ransomware attacks also involve "double extortion," where attackers steal a copy of the data before encrypting it and threaten to leak it publicly if the ransom is not paid.
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. This notification must be made "without unreasonable delay and in no case later than 60 calendar days" from the discovery of the breach.
Under HIPAA, a business associate is a person or entity that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. Examples include billing companies, IT providers, or practice management firms. They are directly liable for HIPAA compliance.