Healthcare management services provider QualDerm Partners is notifying more than 3.1 million people that their personal, medical, and health insurance information was stolen in a December 2025 data breach.
The incident, the company says, was discovered on December 24 and involved unauthorized access to its network for two days.
During this window, the attackers exfiltrated certain information from the “limited number of systems” that they compromised, the company notes in an incident notification (PDF).
The stolen information, it says, includes names, addresses, dates of birth, email addresses, medical record numbers, doctor names, treatment and diagnosis information, health insurance information, dates of death, and, in some cases, government-issued ID information.
QualDerm also notes that its investigation into the data breach continues, and that it has decided to notify the patients who have been identified to date.
In response to the attack, the company immediately activated its response plans, took steps to contain the unauthorized activity, assessed the security of its systems, and notified law enforcement and regulatory agencies.
QualDerm told the US Department of Health and Human Services that 3,117,874 people were impacted by the attack. The incident was reported last month, but was added to the HHS’s breach portal this week.
The company is providing the impacted individuals with 12 months of free identity theft and credit monitoring services.
Headquartered in Brentwood, Tennessee, QualDerm Partners provides healthcare management services to 158 practices in 17 states, covering cosmetics, dermatology, pathology, plastic surgery, and skin cancer care.
Related: Mazda Says Employee, Partner Information Stolen in Cyberattack
Related: Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware
Related: Navia Data Breach Impacts 2.7 Million
Related: Robotic Surgery Giant Intuitive Discloses Cyberattack
