Anne Arundel Dermatology agrees to a $2.4M settlement

The Maryland-based dermatology practice has agreed to settle a class action suit following a 2025 data breach.

What happened

Anne Arundel Dermatology, an Annapolis-based dermatology practice with practice now across the east coast, has agreed to settle a data breach lawsuit.

According to the settlement agreement, 1.9 million individuals were notified of the data breach in 2025. The breach resulted in a surge of lawsuits being filed, with 21 lawsuits ultimately being consolidated into a single suit, In Re Anne Arundel Data Breach Litigation. The lawsuit alleged that the dermatology practice was negligent in maintaining sensitive data and failed to implement reasonable and appropriate cybersecurity measures. These claims, along with others arguing the practice engaged in unjust enrichment and intentional invasion of privacy, were denied by Anne Arundel Dermatology.

Under the terms of the settlement, Anne Arundel Dermatology has agreed to establish a $2.4 million settlement fund. The final fairness hearing is scheduled for July 16th, 2026.

The back story

The breach that led to the class action lawsuit was discovered on May 13th, 2025. An investigation determined that an unauthorized actor had accessed the dermatology’s network between February 14th, 2025, and May 13th, 2025. Uniquely, the investigation was unable to determine if patient data had been accessed or exfiltrated, so a notice was sent to all current and former patients. The breach was noted by Paubox as one of the largest breaches in 2025.

For potential victims, information compromised may have included names, addresses, dates of birth, medical information, health insurance information, and other personal information.

The big picture

Unique to the incident, it’s unclear if any data was actually stolen. No threat actors have claimed the attack and there have not been any reports of the data becoming available online. While that is overall good, showing that the data may not have been misused even if viewed by an unauthorized user, it reveals that class action lawsuits can still take place even if harm is mitigated.

Breach investigations are critical to determining who was impacted by the breach and what may have happened to the data, but in this case, it seems like the investigation was unable to determine this information. As threat actors become more sophisticated, it can be harder to spot and trace their actions, which may be why it took nearly a month for the practice to realize a breach had taken place. The large victim count, caused by not knowing who was actually impacted, likely increased the settlement amount.

While this case resulted in a relatively large settlement, it’s not surprising. According to Paubox reports, the average cost of a data breach is now $11 million, encompassing costs associated with legal fees, the settlement itself, and other changes the organization may need to make to improve their cybersecurity.

FAQs

Why were so many lawsuits filed?

Multiple lawsuits are often filed when an incident like this occurs, especially when there are so many victims. These lawsuits are ultimately consolidated if they make similar claims, as in this case.

Why wasn’t Anne Arundel Dermatology able to determine the true victim count?

It’s unclear why the practice was not able to uncover the true victim count, but it’s likely that the threat actors were too stealthy for the investigators to track their actions in the network.