Active breach tracker Linthicum, Maryland Disclosed July 11, 2025

Anne Arundel Dermatology Data Breach 2025: 1.9M Patients Exposed in 3-Month Network Intrusion. $2.4M Settlement. What To Do

Anne Arundel Dermatology disclosed a hacking incident on July 11, 2025 affecting 1,905,000 patients. Attackers had access to the network for three months (Feb 14 - May 13, 2025) and exposed names, dates of birth, medical and insurance information. A $2.4M class action settlement received preliminary approval on February 26, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 14, 2025

Unauthorized access to Anne Arundel Dermatology's network began

May 13, 2025

AAD detected suspicious activity and contained the intrusion (end of attacker dwell)

May 20, 2025

Forensic review confirmed unauthorized access to files containing patient information

Jun 27, 2025

File review completed; identification of affected individuals concluded

Jul 11, 2025

AAD filed Hacking/IT Incident report with HHS OCR; individual notification letters mailed

Dec 12, 2025

Consolidated class action filed: In Re Anne Arundel Data Breach Litigation, 1:25-cv-02274 (D. Md.)

Feb 26, 2026

Preliminary approval of $2.4M class settlement

Jun 9, 2026

Class settlement opt-out / objection deadline

Jul 8, 2026

Class settlement claim filing deadline

Jul 16, 2026

Final fairness hearing scheduled

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (subset of individuals, per substitute notice cohort)

02

Health records

Don't expire and can't be reissued

Medical record number Medical history and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Mailing address Patient ID number Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Schubert Jonckheer & Kolbe LLP Cafferty Clobes Meriwether & Sprengel LLP Cotchett, Pitre & McCarthy (CPM Legal)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Anne Arundel Dermatology (AAD) is one of the largest dermatology groups on the East Coast, with more than 60 clinic locations across Maryland, Virginia, the District of Columbia, Florida, Georgia, North Carolina, Pennsylvania, and Tennessee. The group is headquartered in Linthicum, Maryland and provides medical, pediatric, surgical, and aesthetic dermatology services.

On May 13, 2025, AAD detected suspicious activity inside its computer network. Forensic investigators determined that an unauthorized actor had been inside the network since February 14, 2025, a dwell time of roughly three months. AAD’s own notification describes the event as a Hacking/IT Incident affecting a network server. No ransomware group has publicly claimed credit, and as of this writing no stolen Anne Arundel Dermatology data has appeared on a known dark-web leak site.

AAD completed its forensic file review on June 27, 2025 and filed with the U.S. Department of Health and Human Services Office for Civil Rights on July 11, 2025, reporting 1,905,000 affected individuals. That count makes the AAD incident the fourth-largest US healthcare breach reported to OCR in 2025 and the largest Maryland-based provider breach of the year.

What we know about the timeline

  • February 14, 2025 - Unauthorized access to AAD’s network begins.
  • May 13, 2025 - AAD identifies suspicious activity, contains the intrusion, and engages outside forensics counsel.
  • May 20, 2025 - Forensic investigation confirms unauthorized access to files containing patient information.
  • June 27, 2025 - Identification of affected individuals and the specific data elements involved is completed.
  • July 11, 2025 - AAD files with HHS OCR and begins mailing individual notification letters.
  • December 12, 2025 - Consolidated class action filed in the District of Maryland: In Re Anne Arundel Data Breach Litigation, No. 1:25-cv-02274.
  • February 26, 2026 - The court grants preliminary approval to a $2.4 million class settlement.
  • June 9, 2026 - Opt-out / objection deadline for class members.
  • July 8, 2026 - Class settlement claim filing deadline.
  • July 16, 2026 - Final fairness hearing scheduled.

The roughly six-week gap between detection (May 13) and the start of patient notifications (after July 11) is at the outer edge of what HIPAA’s 60-day rule contemplates, and plaintiffs’ firms have flagged it in their complaints. AAD says the delay was driven by the time needed to complete file review and identify whose records were involved.

What was exposed

Based on AAD’s own notification letters, the substitute notice posted to its website, and the consolidated class complaint, the exposed dataset includes:

  • Full name and mailing address
  • Date of birth
  • Patient ID number and medical record number
  • Medical history and treatment information (clinical content from a dermatology record: diagnoses, procedures, photographs in some files)
  • Health insurance information (plan, member ID, group ID)
  • Social Security number for a subset of individuals, per the cohort that received the substitute notice listing SSN explicitly

Payment card numbers and bank account information have not been reported as part of the exposed dataset. The harm shape here is medical identity theft and full-profile identity fraud for those whose SSNs were involved, plus targeted phishing risk for the larger population whose insurance IDs and clinical history were taken.

AAD has stated it was unable to definitively determine whether the data was viewed or exfiltrated, but the company is treating the access as if exfiltration occurred and is notifying every individual whose records were in the affected systems.

What Anne Arundel Dermatology is offering

AAD is providing 24 months of complimentary credit monitoring and identity theft protection to all 1.9 million affected individuals. Each notification letter contains an enrollment code and instructions for activating the service by phone or online. The enrollment deadline is printed on the individual letter.

Twenty-four months is the longer end of what mid-size providers typically offer for a hacking incident at this scale, but it is far less time than a Social Security number or date of birth remains valid and exploitable. Treat the AAD-paid monitoring as a floor, not a ceiling.

Separately, the $2.4 million class settlement (preliminarily approved February 26, 2026) layers on:

  • Up to $5,000 in documented out-of-pocket loss reimbursement per class member
  • An alternative pro rata cash payment estimated at $100 (subject to claim volume)
  • Three years of CyEx Medical Shield Complete medical-data monitoring

The claims deadline is July 8, 2026. The opt-out / objection deadline is June 9, 2026. The final fairness hearing is July 16, 2026 before the U.S. District Court for the District of Maryland.

The official court-approved settlement website is AnneArundelPrivacySettlement.com. Claims can be submitted online there or by mail to: AAD Settlement Administrator, P.O. Box 1788, Baton Rouge, LA 70821. The settlement administrator can also be reached by phone at 1-844-467-4798 or by email at [email protected].

Class-action and regulatory posture

At least 21 putative class actions were filed in the District of Maryland in the months following AAD’s July 2025 disclosure. The court consolidated them as In Re Anne Arundel Data Breach Litigation, No. 1:25-cv-02274 (D. Md.), and a $2.4 million class settlement received preliminary approval on February 26, 2026.

Firms that publicly investigated or filed on the case include Schubert Jonckheer & Kolbe LLP, Cafferty Clobes Meriwether & Sprengel LLP, and Cotchett, Pitre & McCarthy (CPM Legal). The consolidated complaint alleges AAD failed to maintain reasonable security commensurate with the volume and sensitivity of the patient data it held, and that notification was delayed beyond what HIPAA and state law require.

On the regulatory side, the breach remains listed on the HHS Office for Civil Rights portal with no public enforcement resolution. Multistate Attorney General filings followed the OCR disclosure but no AG-led action has been publicly announced.

What to do if you may be affected

This week:

  1. Enroll in the complimentary 24-month credit monitoring using the code in your AAD notification letter. Do not let the enrollment deadline lapse. If you cannot find your letter, the AAD call center referenced in the substitute notice can reissue your code.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage protection against new-account fraud and is independent of any monitoring you enroll in. It is free, takes about ten minutes per bureau, and you can temporarily lift it any time.
  3. File IRS Form 14039 (Identity Theft Affidavit) if your notification letter lists your Social Security number as exposed. This blocks a fraudulent tax return being filed under your SSN.
  4. Review the AAD class settlement options at the official settlement website AnneArundelPrivacySettlement.com or call the settlement administrator at 1-844-467-4798. Decide whether to file a documented-loss claim (up to $5,000), take the alternative ~$100 cash payment, or opt out by June 9, 2026 if you intend to sue individually. Claims must be submitted by July 8, 2026.

This month:

  1. Review your Explanation of Benefits statements from your insurer for dermatology services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
  2. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks, so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
  3. Watch for follow-on letters. Some AAD affiliated practices, billing vendors, and downstream insurers may issue their own notifications referencing this same incident.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.