DermCare Management discloses breach affecting over 70 clinics

A Florida-based healthcare management firm took 13 months to identify affected individuals after a February 2025 network intrusion, with at least 9,724 Texas residents confirmed affected and a multi-state total still being determined.

What happened

DermCare Management, a Hollywood, Florida-based practice management company supporting more than 70 dermatology and aesthetic medicine clinics across Florida, Texas, Virginia, and California, has disclosed a data breach in which an unauthorized actor accessed and copied data from its network between February 14 and February 26, 2025. According to DataBreaches.net, DermCare identified suspicious activity on February 26, 2025, confirmed unauthorized access on March 3, 2025, and reported the incident to the HHS Office for Civil Rights in May 2025 using a placeholder estimate of 501 affected individuals. Due to the complexity and volume of data involved, it was not until March 2, 2026, that DermCare's specialists completed their identification of affected individuals. Notification letters began going out in April 2026. The Texas Attorney General's filing, submitted on April 10, 2026, confirms that at least 9,724 Texas residents were affected. The California Attorney General filing, submitted April 8, 2026, covers additional affected individuals in that state. Compromised data includes names, Social Security numbers, driver's license numbers, credit and debit card information, financial account information, and medical information, with specific data types varying by individual.

Going deeper

DermCare serves as the administrative and operational backbone for its partner practices, handling billing, compliance, HR, and patient record management on behalf of more than 140 medical providers across its network. A breach at the management company level, therefore, propagates across every affiliated clinic simultaneously, with each practice facing its own obligation to notify patients. At least ten partner practices have independently published substitute breach notices confirming their patient data was involved, including Skin and Beauty Center, Berman Skin Institute, Dania Dermatology, Dermatology Treatment and Research Center, Florida Academic Dermatology Center, Hillcrest Plastic Surgery and Dermatology, Hollywood Dermatology, Keys Dermatology, Miami Plastic Surgery, Rendon Center for Dermatology and Aesthetic Medicine, and Skin Center of South Miami. The total number of affected individuals across all states has not yet been confirmed publicly, but the multi-state AG filings and the breadth of affected partner practices suggest the final figure will substantially exceed the confirmed Texas count.

What was said

DermCare Management stated in its breach notice that it "acted to secure its systems and engaged cybersecurity professionals to investigate the incident" upon detecting suspicious activity, and that "due to the complexity of the data involved," the specialist review was not completed until March 2, 2026. The company confirmed it has begun sending individual notifications and is guiding a dedicated assistance line. DermCare reported the incident to the HHS Office for Civil Rights in May 2025 while the file review remained ongoing, using a standard placeholder figure.

In the know

The DermCare breach follows a pattern seen in the Pinnacle Holdings incident, which was disclosed the same week, in which a healthcare management or consulting firm serving multiple covered entities experiences a single breach that propagates across its entire client network. According to DataBreaches.net, at least ten DermCare partner practices have published their own separate breach notices, each triggering independent notification obligations. The 13-month gap between the February 2025 breach discovery and March 2026 identification of affected individuals is consistent with the intricacy of reviewing unstructured data across a management platform serving dozens of practices, but it also means patients across multiple states had no formal warning for over a year while their financial and medical data remained potentially in an attacker's hands.

The big picture

The DermCare case makes the third-party risk calculation concrete. A single practice management company holds the patient records of more than 700,000 people across 70 locations. A successful intrusion at that level does not produce one breach — it produces dozens of parallel notification obligations, each governed by its own state law timeline, each requiring its own patient notification, and each reflecting the same underlying security failure at the management layer. Healthcare organizations that outsource practice management, billing, or data operations concentrate their patient data exposure risk into a single vendor. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate email exposure accounted for 28 percent of all email-related healthcare breaches in 2025, with third-party breach sizes typically larger than direct organizational incidents. The DermCare breach extends that pattern beyond email to the full operational data layer that practice management companies hold.

FAQs

Why did it take 13 months to identify affected individuals?

DermCare's network held data for patients across more than 70 locations spanning multiple states and provider relationships. Identifying every individual whose specific records were accessed required a file-by-file forensic review of complex, unstructured data, a process that scales with the volume and variety of data held rather than the size of the organization itself.

Why are individual partner practices issuing their own breach notices if DermCare was the one breached?

Under HIPAA, each covered entity remains responsible for notifying its own patients when their PHI is compromised, even when the breach occurred at a business associate. DermCare's breach triggered separate notification obligations for each affiliated practice whose patient data was involved.

What does the Texas AG filing confirm about the scope?

The Texas Attorney General filing submitted April 10, 2026, confirms that at least 9,724 Texas residents were affected. State AG filings are required when a breach affects residents of that state above a threshold, and each state filing provides a separate count, meaning the total across all affected states will be the sum of each state's figure.

What is the risk when a practice management company holds patient data across multiple clinics?

A practice management company that centralizes billing, compliance, and records for dozens of practices creates a single high-value target. An attacker who gains access to that system gains simultaneous access to patient data from every affiliated practice, multiplying the breach impact well beyond what any individual clinic could produce on its own.

How can dermatology practices and other specialty clinics reduce their exposure to vendor breaches?

Practices should include contractual breach notification requirements in agreements with management companies, require evidence of security controls such as encryption, access logging, and intrusion detection, and limit the volume of data shared with management platforms to what is strictly necessary for the services provided. Annual security assessments of high-risk vendors reduce the probability of undetected vulnerabilities remaining open for extended periods.