QualDerm breach impacts 158 practices, over 100k patients

The company is notifying patients on a rolling basis, with the estimated number of impacted individuals already over 100,000.

What happened

QualDerm Partners LLC, a healthcare management service based out of Tennessee, recently notified the public and the Attorney General of Maine of a massive data breach impacting approximately 158 practices across 17 states.

The service provider, which partners with small skin and aesthetic providers, sees, on average, 120,000 patients each month and works with over 350 providers.

According to the notice, data involved in the breach may have included names, dates of birth, doctor’s name, medical record numbers, dates of death, email addresses, treatment and diagnosis information, and health insurance information. For some individuals, government-issued identification, like driver’s license number, may also have been included in the breach. Considering the number of partners QualDerm has, they do not yet know the total victim count.

Going deeper

While the total number of impacted individuals is still being investigated, QualDerm has begun contacting victims and regulatory authorities on a rolling basis. The management service has notified the Attorney General of Texas, stating they estimate 174,837 victims in that state alone. QualDerm currently partners with 10 practices in Texas.

According to QualDerm’s notice posted online, the incident was first detected on December 24th, 2025. Cybersecurity experts confirmed an unauthorized user had accessed the system on the 23rd and 24th of December.

The big picture

Data breaches between healthcare practices and vendors have become increasingly common. According to one Paubox report, nearly one in three breaches involved business associates in 2025. Just earlier this week, healthcare technology company Veradigm agreed to a $10.5 million settlement connected to a breach at the practices it works with.

On top of that, 16% of email breaches were tied to vendor mismanagement.

Large breaches like the one at QualDerm show how important it is to have auditing business partners and a strong business associate agreement that clearly defines the business associate’s role in protecting data.

Related: Why business associates can be a weak link in email security.

FAQs

Who will send out the notices to patients?

In this breach, it appears that QualDerm will handle sending out notices to impacted individuals. Generally, vendors will work with the impacted providers to determine the best course of action for notifying victims.

When will the Department of Health and Human Services be notified?

The HHS will likely be notified once QualDerm has a final estimate of the number of impacted individuals. Although organizations are supposed to notify the HHS of data breaches within 60 days of discovery, with large breaches, especially those involving vendors, it’s common for reports to be delayed.