One-sentence headline summary

Dermatology management services provider QualDerm has confirmed a late 2025 cyberattack that exposed the sensitive personal and medical information of approximately 3.1 million patients across the United States.

Key points

• The breach occurred between December 23 and December 24, 2025, affecting 3,117,874 individuals.
• Compromised data includes names, medical records, health insurance details, dates of birth, and government-issued identification numbers.
• QualDerm provides administrative and IT support to over 150 dermatology practices across 17 states.
• The company has reported the incident to the U.S. Department of Health and Human Services and is currently notifying affected individuals by mail.
• No evidence of data misuse or ransom demands has been reported by the company at this time.

This large-scale exposure of highly sensitive medical and identity data poses a significant risk of identity theft and targeted phishing attacks against patients. The incident highlights the ongoing vulnerability of administrative service providers that manage centralized data for numerous healthcare practices.