Brevard Skin and Cancer Center Data Breach 2025: 54,570 Florida Dermatology and Skin Cancer Patients Exposed in PEAR Ransomware Attack. What To Do
Brevard Skin and Cancer Center, a five-location dermatology and Mohs surgery practice on Florida's Space Coast, filed a Hacking/IT Incident report with HHS OCR on December 12, 2025 affecting 54,570 individuals. An unauthorized actor accessed the network around September 28, 2025; the PEAR extortion group later claimed theft of 1.8 TB of data including names, Social Security numbers, dates of birth, dermatology and skin cancer diagnoses, and clinical information. Multiple class action investigations are underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 28, 2025
Unauthorized third party accessed Brevard Skin and Cancer Center's network
Oct 14, 2025
BSCC detected suspicious activity and engaged outside forensic counsel
Dec 12, 2025
BSCC filed Hacking/IT Incident report with HHS OCR (54,570 affected, network server)
Dec 19, 2025
BSCC disclosed the breach to the Maine, Vermont, and Massachusetts attorneys general offices
Dec 22, 2025
Migliaccio & Rathod LLP, Federman & Sherwood, Cole & Van Note, Shamis & Gentile P.A., and Markovits, Stock & DeMarco announced class action investigations
Dec 26, 2025
Individual notification letters mailed to affected patients and employees; Maine AG filing lists 55,500 total notice recipients (10 Maine residents)
Mar 26, 2026
IDX credit monitoring enrollment deadline
Sep 28, 2025
Unauthorized third party accessed Brevard Skin and Cancer Center's network
Oct 14, 2025
BSCC detected suspicious activity and engaged outside forensic counsel
Dec 12, 2025
BSCC filed Hacking/IT Incident report with HHS OCR (54,570 affected, network server)
Dec 19, 2025
BSCC disclosed the breach to the Maine, Vermont, and Massachusetts attorneys general offices
Dec 22, 2025
Migliaccio & Rathod LLP, Federman & Sherwood, Cole & Van Note, Shamis & Gentile P.A., and Markovits, Stock & DeMarco announced class action investigations
Dec 26, 2025
Individual notification letters mailed to affected patients and employees; Maine AG filing lists 55,500 total notice recipients (10 Maine residents)
Mar 26, 2026
IDX credit monitoring enrollment deadline
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Brevard Skin and Cancer Center (BSCC) is a Florida Space Coast dermatology and skin cancer practice that has served Brevard County for over 55 years, founded in 1968. It operates five locations: Merritt Island, Rockledge, Titusville, Viera, and Palm Bay. The practice provides general dermatology, surgical dermatology, and Mohs micrographic surgery for skin cancer.
On or about September 28, 2025, an unauthorized third party gained access to BSCC’s network. BSCC identified the suspicious activity on October 14, 2025, immediately engaged outside cybersecurity experts and forensic counsel, and notified the FBI. On December 12, 2025, BSCC filed a Hacking/IT Incident report with the U.S. Department of Health and Human Services Office for Civil Rights, listing 54,570 individuals affected and a network server as the location of the breached information.
The PEAR extortion group posted about the breach on its dark-web leak site on October 10, 2025, asserting it had exfiltrated approximately 1.8 terabytes of BSCC data. PEAR (Pure Extraction and Ransom) emerged in August 2025 and operates a pure-exfiltration extortion model: it does not encrypt victim systems, instead pressuring payment by threatening to publish stolen files. BSCC has not publicly confirmed PEAR’s claims or stated whether a ransom was paid.
Individual notification letters were mailed on December 26, 2025. The Maine Attorney General filing lists 55,500 total notice recipients (10 Maine residents); the higher figure reflects employees and additional cohorts swept into the notification mailing beyond the 54,570-patient count reported to HHS.
What we know about the timeline
- September 28, 2025 - Unauthorized access to BSCC’s network begins.
- October 10, 2025 - PEAR extortion group posts the breach on its dark-web leak site, claiming 1.8 TB stolen from BSCC.
- October 14, 2025 - BSCC detects suspicious activity, engages forensic counsel and cybersecurity experts, and notifies the FBI.
- December 12, 2025 - BSCC files Hacking/IT Incident report with HHS OCR (54,570 affected, network server).
- December 19, 2025 - BSCC discloses the breach to the Maine, Vermont, and Massachusetts attorneys general offices.
- December 22, 2025 - Migliaccio & Rathod LLP, Federman & Sherwood, Cole & Van Note, Shamis & Gentile P.A., and Markovits, Stock & DeMarco publicly announce class action investigations.
- December 26, 2025 - Individual notification letters mailed; Maine AG filing reflects 55,500 total notice recipients.
- March 26, 2026 - IDX complimentary credit monitoring enrollment deadline printed on notice letters.
The roughly two-month gap between detection (October 14) and notification (late December) sits inside HIPAA’s 60-day outer limit, though the law firms investigating the case are scrutinizing whether file review and notification could have moved faster given the sensitivity of the exposed dataset.
What was exposed
Per BSCC’s notice letter and the Maine AG filing, the exposed dataset varies by individual and may include:
- Full name, home address, phone number, email address
- Date of birth
- Social Security number
- Diagnosis and clinical information (dermatology visit history, skin cancer diagnoses, biopsy and pathology results, treatment plans, Mohs surgery records)
- Billing and claims information (health insurer, plan, claims data)
- Employee records for current and former BSCC staff, including FMLA-related health condition information
PEAR’s claim of 1.8 TB exfiltrated implies the stolen dataset is substantially larger than a typical demographic-plus-SSN cohort. For a dermatology and skin cancer practice, that volume is consistent with full clinical records: visit notes, dermoscopy and clinical photographs, pathology reports, Mohs maps, and insurance correspondence.
Why this matters more for cancer and dermatology patients
The clinical information exposed in this breach is not generic. For BSCC’s patient population it includes:
- Skin cancer diagnoses, staging, and treatment history. Basal cell, squamous cell, melanoma, and other cutaneous malignancies. This is information patients commonly choose not to share with employers, life insurers, or long-term care underwriters. Once it is in the hands of an extortion group and posted to a leak site, that choice is gone.
- Mohs surgery records and clinical photographs. High-resolution images of identifiable body regions, tied to a named patient and a cancer diagnosis. These are usable for targeted extortion and harassment in a way demographic data alone is not.
- Dermatology visit history. Including treatment for conditions patients often regard as private (acne, hidradenitis, psoriasis, sexually-transmitted skin conditions, gender-affirming dermatology, cosmetic procedures).
- Insurance and billing data tied to oncology codes. Usable for medical identity theft directed at specialty care, where fraudulent claims are larger and harder to spot than primary-care fraud.
Patients in active or recent cancer treatment should treat the medical-identity-theft and life-insurance-underwriting risks here as elevated, not theoretical.
What Brevard Skin and Cancer Center is offering
BSCC is providing 24 months of complimentary credit monitoring and identity theft protection through IDX, including:
- Credit monitoring at the three major bureaus
- CyberScan dark-web monitoring
- $1 million identity theft reimbursement insurance
- Fully managed identity theft recovery services
- Lost wallet assistance
The enrollment deadline printed on individual letters is March 26, 2026. Patients who cannot find their letter can call IDX directly at 1-833-779-4803, Monday through Friday from 9 a.m. to 9 p.m. Eastern Time, excluding holidays. The IDX mailing address is P.O. Box 1907, Suwanee, GA 30024.
Twenty-four months of monitoring is the longer end of the range for an incident at this scale, but it ends long before a Social Security number, date of birth, or a permanent cancer diagnosis stops being exploitable. Treat the BSCC-paid program as a floor.
Class-action and regulatory posture
At least six class action firms publicly announced investigations following the notice mailing:
- Migliaccio & Rathod LLP (announced December 22, 2025)
- Federman & Sherwood (announced December 22, 2025)
- Cole & Van Note (announced December 22, 2025)
- Shamis & Gentile P.A. (investigating)
- Markovits, Stock & DeMarco, LLC (announced December 22, 2025)
- Mason LLP (investigating)
The investigations focus on whether BSCC implemented reasonable data security measures commensurate with the volume and sensitivity of the patient and employee data it held, whether the intrusion was preventable, and whether notification was issued promptly.
On the regulatory side, BSCC filed multistate AG notices beginning December 19, 2025. Confirmed AG filings include Maine, Vermont, and Massachusetts. The HHS OCR portal reflects the breach as a Hacking/IT Incident under active review.
No consolidated class action complaint or filed lawsuit has been publicly docketed as of this update. Expect filings in the Middle District of Florida (the federal venue covering Brevard County) in the months following the notice mailing.
What to do if you may be affected
This week:
- Enroll in the complimentary 24-month IDX credit monitoring using the code in your BSCC notification letter. The enrollment deadline is March 26, 2026. If you cannot find your letter, call IDX at 1-833-779-4803 (Monday through Friday, 9 a.m. to 9 p.m. ET, excluding holidays) and request a reissued code.
- Place a free credit freeze at Equifax, Experian, and TransUnion. Full Social Security number is in scope. A freeze is independent of any monitoring you enroll in, takes about ten minutes per bureau, and can be temporarily lifted at any time.
- File IRS Form 14039 (Identity Theft Affidavit) to block a fraudulent tax return being filed under your SSN.
This month:
- Review your Explanation of Benefits statements from your health insurer for dermatology, pathology, or Mohs surgery claims you did not receive. Medical identity theft directed at specialty care often surfaces in EOBs weeks or months after the underlying fraud.
- If you are in active cancer treatment or follow-up, consider notifying your oncologist’s office and primary insurer that your BSCC records were involved in the PEAR incident, so any unfamiliar claims tied to skin cancer codes can be flagged immediately.
- Decide whether to contact one of the investigating class action firms. Migliaccio & Rathod, Federman & Sherwood, Cole & Van Note, Mason LLP, Shamis & Gentile P.A., and Markovits, Stock & DeMarco are taking inquiries from affected individuals. There is no filed class complaint yet, so there is no opt-out deadline running today.
- Stop the ongoing flow of your dermatology and oncology data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks, so the SSN, date-of-birth, insurance, and clinical-history information exposed in this breach is not continuously re-shared and resold by downstream entities.
- Watch for follow-on letters from BSCC-affiliated billing vendors, pathology labs, and insurers that may issue their own notifications referencing this same incident.
Sources
- HIPAA Journal: Brevard Skin and Cancer Center Announces September Cyberattack
- Comparitech: Florida dermatologist warns 55,000+ people of data breach that compromised SSNs, medical info
- Maine Attorney General: Brevard Skin and Cancer Center Data Breach Notification Filing
- Massachusetts Attorney General: Brevard Skin and Cancer Center Notice Letter (case 2025-2133)
- Migliaccio & Rathod LLP: Brevard Skin and Cancer Center Data Breach Investigation
- Federman & Sherwood: Brevard Skin and Cancer Center Data Breach Investigation
- Cole & Van Note: Brevard Skin and Cancer Center Data Breach Investigation
- Markovits, Stock & DeMarco LLC: Brevard Skin and Cancer Center Data Breach Class Action Investigation
- Compliance Junction: PHI Exposed in Brevard Skin and Cancer Center Cyberattack
- BreachSense: Brevard Skin and Cancer Center Data Breach (PEAR, 1.8 TB)
- HHS OCR Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Brevard Skin and Cancer Center Announces September Cyberattack
- Comparitech: Florida dermatologist warns 55,000+ people of data breach that compromised SSNs, medical info
- Maine Attorney General: Brevard Skin and Cancer Center Data Breach Notification Filing
- Massachusetts Attorney General: Brevard Skin and Cancer Center Notice Letter (case 2025-2133)
- Migliaccio & Rathod LLP: Brevard Skin and Cancer Center Data Breach Investigation
- Federman & Sherwood: Brevard Skin and Cancer Center Data Breach Investigation
- Cole & Van Note: Brevard Skin and Cancer Center Data Breach Investigation
- Markovits, Stock & DeMarco LLC: Brevard Skin and Cancer Center Data Breach Class Action Investigation
- Compliance Junction: PHI Exposed in Brevard Skin and Cancer Center Cyberattack
- BreachSense: Brevard Skin and Cancer Center Data Breach (PEAR, 1.8 TB)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.