Anne Arundel Dermatology Data Breach 2025: 1.9M Patients Exposed in 3-Month Network Intrusion. $2.4M Settlement. What To Do
Anne Arundel Dermatology disclosed a hacking incident on July 11, 2025 affecting 1,905,000 patients. Attackers had access to the network for three months (Feb 14 - May 13, 2025) and exposed names, dates of birth, medical and insurance information. A $2.4M class action settlement received preliminary approval on February 26, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 14, 2025
Unauthorized access to Anne Arundel Dermatology's network began
May 13, 2025
AAD detected suspicious activity and contained the intrusion (end of attacker dwell)
May 20, 2025
Forensic review confirmed unauthorized access to files containing patient information
Jun 27, 2025
File review completed; identification of affected individuals concluded
Jul 11, 2025
AAD filed Hacking/IT Incident report with HHS OCR; individual notification letters mailed
Dec 12, 2025
Consolidated class action filed: In Re Anne Arundel Data Breach Litigation, 1:25-cv-02274 (D. Md.)
Feb 26, 2026
Preliminary approval of $2.4M class settlement
Jun 9, 2026
Class settlement opt-out / objection deadline
Jul 8, 2026
Class settlement claim filing deadline
Jul 16, 2026
Final fairness hearing scheduled
Feb 14, 2025
Unauthorized access to Anne Arundel Dermatology's network began
May 13, 2025
AAD detected suspicious activity and contained the intrusion (end of attacker dwell)
May 20, 2025
Forensic review confirmed unauthorized access to files containing patient information
Jun 27, 2025
File review completed; identification of affected individuals concluded
Jul 11, 2025
AAD filed Hacking/IT Incident report with HHS OCR; individual notification letters mailed
Dec 12, 2025
Consolidated class action filed: In Re Anne Arundel Data Breach Litigation, 1:25-cv-02274 (D. Md.)
Feb 26, 2026
Preliminary approval of $2.4M class settlement
Jun 9, 2026
Class settlement opt-out / objection deadline
Jul 8, 2026
Class settlement claim filing deadline
Jul 16, 2026
Final fairness hearing scheduled
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Anne Arundel Dermatology (AAD) is one of the largest dermatology groups on the East Coast, with more than 60 clinic locations across Maryland, Virginia, the District of Columbia, Florida, Georgia, North Carolina, Pennsylvania, and Tennessee. The group is headquartered in Linthicum, Maryland and provides medical, pediatric, surgical, and aesthetic dermatology services.
On May 13, 2025, AAD detected suspicious activity inside its computer network. Forensic investigators determined that an unauthorized actor had been inside the network since February 14, 2025, a dwell time of roughly three months. AAD’s own notification describes the event as a Hacking/IT Incident affecting a network server. No ransomware group has publicly claimed credit, and as of this writing no stolen Anne Arundel Dermatology data has appeared on a known dark-web leak site.
AAD completed its forensic file review on June 27, 2025 and filed with the U.S. Department of Health and Human Services Office for Civil Rights on July 11, 2025, reporting 1,905,000 affected individuals. That count makes the AAD incident the fourth-largest US healthcare breach reported to OCR in 2025 and the largest Maryland-based provider breach of the year.
What we know about the timeline
- February 14, 2025 - Unauthorized access to AAD’s network begins.
- May 13, 2025 - AAD identifies suspicious activity, contains the intrusion, and engages outside forensics counsel.
- May 20, 2025 - Forensic investigation confirms unauthorized access to files containing patient information.
- June 27, 2025 - Identification of affected individuals and the specific data elements involved is completed.
- July 11, 2025 - AAD files with HHS OCR and begins mailing individual notification letters.
- December 12, 2025 - Consolidated class action filed in the District of Maryland: In Re Anne Arundel Data Breach Litigation, No. 1:25-cv-02274.
- February 26, 2026 - The court grants preliminary approval to a $2.4 million class settlement.
- June 9, 2026 - Opt-out / objection deadline for class members.
- July 8, 2026 - Class settlement claim filing deadline.
- July 16, 2026 - Final fairness hearing scheduled.
The roughly six-week gap between detection (May 13) and the start of patient notifications (after July 11) is at the outer edge of what HIPAA’s 60-day rule contemplates, and plaintiffs’ firms have flagged it in their complaints. AAD says the delay was driven by the time needed to complete file review and identify whose records were involved.
What was exposed
Based on AAD’s own notification letters, the substitute notice posted to its website, and the consolidated class complaint, the exposed dataset includes:
- Full name and mailing address
- Date of birth
- Patient ID number and medical record number
- Medical history and treatment information (clinical content from a dermatology record: diagnoses, procedures, photographs in some files)
- Health insurance information (plan, member ID, group ID)
- Social Security number for a subset of individuals, per the cohort that received the substitute notice listing SSN explicitly
Payment card numbers and bank account information have not been reported as part of the exposed dataset. The harm shape here is medical identity theft and full-profile identity fraud for those whose SSNs were involved, plus targeted phishing risk for the larger population whose insurance IDs and clinical history were taken.
AAD has stated it was unable to definitively determine whether the data was viewed or exfiltrated, but the company is treating the access as if exfiltration occurred and is notifying every individual whose records were in the affected systems.
What Anne Arundel Dermatology is offering
AAD is providing 24 months of complimentary credit monitoring and identity theft protection to all 1.9 million affected individuals. Each notification letter contains an enrollment code and instructions for activating the service by phone or online. The enrollment deadline is printed on the individual letter.
Twenty-four months is the longer end of what mid-size providers typically offer for a hacking incident at this scale, but it is far less time than a Social Security number or date of birth remains valid and exploitable. Treat the AAD-paid monitoring as a floor, not a ceiling.
Separately, the $2.4 million class settlement (preliminarily approved February 26, 2026) layers on:
- Up to $5,000 in documented out-of-pocket loss reimbursement per class member
- An alternative pro rata cash payment estimated at $100 (subject to claim volume)
- Three years of CyEx Medical Shield Complete medical-data monitoring
The claims deadline is July 8, 2026. The opt-out / objection deadline is June 9, 2026. The final fairness hearing is July 16, 2026 before the U.S. District Court for the District of Maryland.
The official court-approved settlement website is AnneArundelPrivacySettlement.com. Claims can be submitted online there or by mail to: AAD Settlement Administrator, P.O. Box 1788, Baton Rouge, LA 70821. The settlement administrator can also be reached by phone at 1-844-467-4798 or by email at [email protected].
Class-action and regulatory posture
At least 21 putative class actions were filed in the District of Maryland in the months following AAD’s July 2025 disclosure. The court consolidated them as In Re Anne Arundel Data Breach Litigation, No. 1:25-cv-02274 (D. Md.), and a $2.4 million class settlement received preliminary approval on February 26, 2026.
Firms that publicly investigated or filed on the case include Schubert Jonckheer & Kolbe LLP, Cafferty Clobes Meriwether & Sprengel LLP, and Cotchett, Pitre & McCarthy (CPM Legal). The consolidated complaint alleges AAD failed to maintain reasonable security commensurate with the volume and sensitivity of the patient data it held, and that notification was delayed beyond what HIPAA and state law require.
On the regulatory side, the breach remains listed on the HHS Office for Civil Rights portal with no public enforcement resolution. Multistate Attorney General filings followed the OCR disclosure but no AG-led action has been publicly announced.
What to do if you may be affected
This week:
- Enroll in the complimentary 24-month credit monitoring using the code in your AAD notification letter. Do not let the enrollment deadline lapse. If you cannot find your letter, the AAD call center referenced in the substitute notice can reissue your code.
- Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage protection against new-account fraud and is independent of any monitoring you enroll in. It is free, takes about ten minutes per bureau, and you can temporarily lift it any time.
- File IRS Form 14039 (Identity Theft Affidavit) if your notification letter lists your Social Security number as exposed. This blocks a fraudulent tax return being filed under your SSN.
- Review the AAD class settlement options at the official settlement website AnneArundelPrivacySettlement.com or call the settlement administrator at 1-844-467-4798. Decide whether to file a documented-loss claim (up to $5,000), take the alternative ~$100 cash payment, or opt out by June 9, 2026 if you intend to sue individually. Claims must be submitted by July 8, 2026.
This month:
- Review your Explanation of Benefits statements from your insurer for dermatology services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks, so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
- Watch for follow-on letters. Some AAD affiliated practices, billing vendors, and downstream insurers may issue their own notifications referencing this same incident.
Sources
- HIPAA Journal: Anne Arundel Dermatology Data Breach Affects 1.9 Million Patients
- HIPAA Journal: Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit
- SecurityWeek: Anne Arundel Dermatology Data Breach Impacts 1.9 Million People
- Security Affairs: Anne Arundel Dermatology data breach impacts 1.9 million people
- SC Media: Over 1.9M impacted by Anne Arundel Dermatology breach
- TechTarget: 10 largest healthcare data breaches reported to OCR in 2025
- Bloomberg Law: Dermatology Clinics’ $2.4 Million Breach Deal Gets Initial Nod
- ClassAction.org: $2.4M Anne Arundel Dermatology Settlement Ends Class Action Lawsuit
- Schubert Jonckheer & Kolbe: Privacy Alert / Investigation
- Cotchett, Pitre & McCarthy: CPM Investigating the Anne Arundel Dermatology Data Breach
- Cafferty Clobes Meriwether & Sprengel LLP: Anne Arundel Dermatology Data Breach Investigation
- Official Settlement Website: In Re Anne Arundel Data Breach Litigation (1:25-cv-02274-GLR)
- Official Settlement FAQ
- Top Class Actions: $2.4M Anne Arundel Dermatology Data Breach Settlement
- ClaimDepot: Anne Arundel Dermatology $2.4M Settlement
- Paubox: Anne Arundel Dermatology agrees to a $2.4M settlement
- HHS OCR Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Anne Arundel Dermatology Data Breach Affects 1.9 Million Patients
- HIPAA Journal: Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit
- SecurityWeek: Anne Arundel Dermatology Data Breach Impacts 1.9 Million People
- Security Affairs: Anne Arundel Dermatology data breach impacts 1.9 million people
- SC Media: Over 1.9M impacted by Anne Arundel Dermatology breach
- TechTarget: 10 largest healthcare data breaches reported to OCR in 2025
- Bloomberg Law: Dermatology Clinics' $2.4 Million Breach Deal Gets Initial Nod
- ClassAction.org: $2.4M Anne Arundel Dermatology Settlement Ends Class Action Lawsuit
- Schubert Jonckheer & Kolbe: Privacy Alert / Investigation
- Cotchett, Pitre & McCarthy: CPM Investigating the Anne Arundel Dermatology Data Breach
- Cafferty Clobes Meriwether & Sprengel LLP: Anne Arundel Dermatology Data Breach Investigation
- Official Settlement Website: In Re Anne Arundel Data Breach Litigation (1:25-cv-02274-GLR)
- Official Settlement FAQ
- Top Class Actions: $2.4M Anne Arundel Dermatology Data Breach Settlement
- ClaimDepot: Anne Arundel Dermatology $2.4M Settlement (with administrator contact details)
- Paubox: Anne Arundel Dermatology agrees to a $2.4M settlement
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.