QualDerm Partners, a US-based healthcare management services provider supporting dermatology and skin care practices, reported a data breach affecting more than 3.1 million individuals, according to regulatory filings and breach notifications.
The company provides administrative and operational services to nearly 160 dermatology practices operating across 17 states. Authorities were notified that 3,117,874 individuals were impacted by the incident, based on filings with state regulators.
The breach was identified on December 24, 2025, when QualDerm detected unauthorized activity within its network. A forensic investigation later confirmed that an unauthorized actor had access to certain systems between December 23 and December 24, 2025.
According to the company’s findings, data was accessed and removed during that period. Investigators stated that the intrusion involved a limited number of internal systems, but included files containing sensitive personal and medical information.
The types of data affected vary by individual. QualDerm reported that compromised information may include names, email addresses, dates of birth or death, medical record numbers, diagnosis and treatment details, and health insurance information. For a smaller group of individuals, government-issued identification numbers such as driver’s licence details may also have been exposed.
The company began notifying affected individuals in February 2026, with letters sent on a rolling basis while the data review process continues.
QualDerm stated that it had not identified confirmed misuse of the affected data at the time of notification. The company said it has taken steps to secure its systems following the incident and has engaged third-party cybersecurity specialists to investigate the breach.
As part of its response, QualDerm is offering affected individuals credit monitoring and identity protection services.
The breach affects patients connected to dermatology, cosmetic, and skin care services provided through QualDerm-affiliated practices. The company continues to review the scope of the incident to determine the full extent of the data involved.