Active breach tracker Concord, Massachusetts Disclosed November 18, 2025

Dermatology Associates of Concord Data Breach 2025: ANUBIS Ransomware Group Exfiltrates Patient Files in Massachusetts. What To Do.

Dermatology Associates of Concord (DAC), a greater-Boston dermatology practice, identified suspicious activity on September 19, 2025, traced to unauthorized access between September 18-19, 2025. The ANUBIS ransomware group claimed the attack and posted samples to its dark-web leak site on November 6, 2025. DAC filed with HHS OCR and the Massachusetts AG on November 18, 2025, and issued a public substitute notice on February 18, 2026. Exposed data may include Social Security numbers, financial and payment-card data, driver's license and passport numbers, and medical and health-insurance information. Maxey Law Firm is investigating class-action claims.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 18, 2025

Unauthorized third party begins accessing a Dermatology Associates of Concord computer system and copying files

Sep 19, 2025

DAC identifies suspicious activity on its network, engages third-party cybersecurity experts, and notifies law enforcement

Nov 6, 2025

ANUBIS ransomware group publicly lists DAC on its dark-web leak site, claiming exfiltration of patient records

Nov 18, 2025

DAC files initial breach notification with the Massachusetts Attorney General and the HHS Office for Civil Rights

Feb 18, 2026

DAC issues public substitute notice and begins mailing individual notification letters with 24 months of Cyberscout credit monitoring

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number

03

Contact & insurance

Phishing + targeted scams

Full name Address Military identification number Taxpayer identification number Financial account information Payment card information Medical information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Maxey Law Firm, P.A. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Dermatology Associates of Concord (DAC), a greater-Boston dermatology practice operating as Total Skin Health, confirmed that an unauthorized party accessed one of its computer systems between September 18 and September 19, 2025, and copied files containing protected health information. The ANUBIS ransomware group subsequently claimed the attack and posted DAC to its dark-web leak site on November 6, 2025. (ClaimDepot; PR Newswire via Morningstar)

Timeline

  • September 18-19, 2025 — An unauthorized third party accessed a specific computer system on the DAC network and copied files from that system. (Health Technology Net)
  • September 19, 2025 — DAC identified suspicious activity, engaged third-party cybersecurity experts, notified law enforcement, and began enhancing its security protocols. (HIPAA Journal)
  • November 6, 2025 — The ANUBIS ransomware group posted DAC to its dark-web leak site, publicly claiming exfiltration of patient files. (ClaimDepot)
  • November 18, 2025 — DAC filed initial breach notification with the Massachusetts Attorney General and the HHS Office for Civil Rights. (Mass.gov; HHS OCR Breach Portal)
  • February 18, 2026 — DAC issued a public substitute notice and began mailing individual notification letters to affected individuals for whom it had postal addresses. (PR Newswire via Morningstar)

What was exposed

Per DAC’s substitute notice, the types of information potentially impacted vary by individual but may include:

  • Name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Passport number
  • Military identification number
  • Taxpayer identification number
  • Financial account information
  • Payment card information
  • Medical information
  • Health insurance information

DAC states that its electronic medical record (EMR), payment-processing, payroll, and email systems were not impacted; the unauthorized access was confined to a specific computer system from which files were copied. (Health Technology Net)

What DAC is offering

DAC is providing affected individuals with 24 months of complimentary single-bureau credit monitoring, single-bureau credit reports, and single-bureau credit scores through Cyberscout, along with identity-theft and fraud assistance services. A dedicated response line is available at 1-800-405-6108, Monday through Friday, 8:00 a.m. to 8:00 p.m. ET. (ClaimDepot; PR Newswire via Morningstar)

Class-action posture

Maxey Law Firm, P.A. (attorney Ryan Maxey) is publicly investigating class-action claims on behalf of affected DAC patients, with a stated focus on whether Social Security numbers were properly encrypted at rest. The firm reports being in the preliminary investigation phase rather than holding a filed complaint as of this update. (Maxey Law Firm investigation page)

The HHS Office for Civil Rights investigation remains open per the breach portal entry.

What to do if you may be affected

  1. Read your notification letter carefully when it arrives. DAC’s letter lists the specific data elements implicated for your record. The dedicated response line is 1-800-405-6108 (Monday to Friday, 8:00 a.m. to 8:00 p.m. ET). (PR Newswire via Morningstar)
  2. Enroll in the 24-month Cyberscout credit monitoring offered at no cost. Activation deadlines are typically printed on the notification letter; missing them forfeits the benefit.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. Because Social Security numbers, driver’s license numbers, and passport numbers may be in the leaked dataset, a freeze is materially more protective than monitoring alone.
  4. Watch for payment-card fraud and EOB anomalies. Because payment-card information and health-insurance details are in scope, monitor card statements and any explanation-of-benefits statements from your insurer for unfamiliar charges or claims.
  5. Stop the ongoing flow of your dermatology and medical-record data. HealthConsent files HIPAA restriction requests across dermatology practice networks and downstream data brokers.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.