QualDerm Partners Data Breach 2026: 3.1M Dermatology Patients Exposed Across 17 States. What Was Stolen and What To Do
The QualDerm Partners data breach disclosed February 2026 exposed personal and medical information for 3,117,874 patients across 158 dermatology practices in 17 states. If you received a notification letter from QualDerm or any of its affiliated practices (Pinnacle Dermatology, Cumberland Skin Surgery, Webster Dermatology, and dozens more), here is what was taken and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 23, 2025
Unauthorized access began
Dec 24, 2025
Anomalous activity detected and contained the same day
Feb 22, 2026
Filed with HHS OCR; individual letters mailed
Feb 25, 2026
First federal class actions filed (M.D. Tenn.)
Mar 24, 2026
Litigation expands; 7+ federal complaints pending
Dec 23, 2025
Unauthorized access began
Dec 24, 2025
Anomalous activity detected and contained the same day
Feb 22, 2026
Filed with HHS OCR; individual letters mailed
Feb 25, 2026
First federal class actions filed (M.D. Tenn.)
Mar 24, 2026
Litigation expands; 7+ federal complaints pending
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
QualDerm Partners is a private-equity-backed dermatology platform headquartered in Brentwood, Tennessee. It operates 158 affiliated dermatology and skin care practices across 17 states under dozens of regional brand names. Harvest Partners is the parent private equity firm.
On December 24, 2025, QualDerm detected anomalous activity inside its network. The activity was contained the same day. A third-party cybersecurity forensics firm was engaged to investigate.
The investigation found that an unauthorized actor had access to parts of the network for approximately 24 hours, between December 23 and December 24, 2025, and “removed certain information” before being detected. The intrusion window was unusually narrow compared to most large healthcare breaches.
QualDerm filed with the US Department of Health and Human Services Office for Civil Rights on February 22, 2026, confirming 3,117,874 affected individuals. State attorneys general in California, Oregon, and Texas received parallel filings. Texas confirmed 174,837 Texas residents in the affected pool.
QualDerm has not attributed the intrusion to any named threat actor. No ransom has been disclosed and no data has been observed on dark web leak sites tied to the QualDerm compromise.
What was stolen
The notification letter (per the sample filed with the California Attorney General) confirms that the compromised data may have included:
- Full name
- Email address
- Date of birth
- Date of death (where applicable)
- Doctor name
- Medical record number
- Diagnoses
- Treatment information
- Health insurance information
QualDerm’s notice explicitly states the breach did not impact Social Security numbers, driver’s license numbers, or financial account information. That is a meaningful distinction from many other healthcare breaches: identity-theft risk is real but more limited, while medical-identity-theft risk (someone using your dermatology insurance benefits, or your diagnosis data being sold downstream) is the primary exposure.
Note that QualDerm’s affiliated practices treat skin-cancer patients, biopsy patients, cosmetic-procedure patients, and Mohs-surgery patients. The “treatment information” category includes the diagnoses associated with those procedures, which are often sensitive and not the kind of data a credit-monitoring service can help protect.
Who is affected (affiliated practice brands)
QualDerm’s affiliated practices operate under many regional brand names. If you received care at any of the following, your records may have been in the compromised system:
Tennessee (HQ region): Brentwood Dermatology · Cumberland Skin Surgery & Dermatology · Mid TN Skin Surgery and Dermatology · Synergy Plastic Surgery · Tru-Skin Dermatology
Multi-state regional brands: Pinnacle Dermatology · Webster Dermatology · Dermatology Affiliates · Dermatology of Athens · New Horizons Center for Cosmetic Surgery · Dermatology Associates & Surgery Center (Hagerstown) · Omni Cosmetic · Brassfield Dermatology · Dermatology Specialists of Charlotte · Lupton Dermatology · Pinehurst Dermatology & Mohs Surgery Center · Riva Dermatology · SeaCoast Skin Surgery · The Dermatology and Skin Surgery Center (Creedmoor and Wilmington locations) · The Laser Institute of Pinehurst · The Skin Surgery Center · Macaione & Papa Dermatology Associates
Ohio: Advanced Dermatology of North Central Ohio · Andrew Quillin Dermatology · Barrett & Geiss Dermatology · Blodgett Dermatology · Center for Surgical Dermatology & Dermatology Associates · Dermatology & Aesthetic Care · Dermatology of Central Ohio · Dermatology of Southeastern Ohio · Westerville Dermatology
Pennsylvania: Bikowski Skin Care Center · Keystone Dermatology Partners · King-Maceyko Dermatology · North Hills Center for Dermatology · Pittsburgh Dermatology & Skin Cancer Center · Rencic Dermatology · Scott J. M. Lim, DO · Zitelli, Brodland & Lim Skin Cancer Center
Other states: The Skin Surgery Center at Charleston · Tru-Skin Dermatology
A current and complete list lives at qualderm.com/affiliate-practices. If your provider is not on the list above but you received QualDerm-branded billing or insurance correspondence, you should treat yourself as potentially affected and watch your mail for a notification letter.
What QualDerm is offering
Affected individuals are being directed to enroll in 12 months of complimentary single-bureau credit monitoring through Cyberscout (a TransUnion company). The package includes credit report, credit score, cyber monitoring, and identity-theft protection services.
- Enrollment:
bfs.cyberscout.com/activate(you will need the activation code from your notification letter) - Assistance line: 1-855-522-4707, Monday to Friday, 8 a.m. to 8 p.m. Eastern
Credit monitoring helps catch identity theft signals on the credit-report side. It does not address the dermatology-specific concerns: someone using your insurance to obtain skin-cancer treatment, your diagnosis information being sold to data brokers, or your dermatology-treatment history being included in profile-building by ad-tech platforms.
What to do if you received a notification letter
This week:
- Activate the Cyberscout monitoring through the link in your letter. Twelve months is the standard offer; use the full window.
- Place a free credit freeze at Equifax, Experian, and TransUnion as a baseline. Even though SSN was not exposed, this is a low-cost defensive move.
- Review your insurance Explanation of Benefits statements for any dermatology, biopsy, or skin-procedure claims you do not recognize. This is the earliest sign of medical identity theft.
- Review email inbox security. Email addresses were exposed, so phishing attempts using your QualDerm affiliate’s name are a likely follow-on attack.
This month:
- Stop the ongoing flow of your dermatology data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the diagnosis and treatment data exposed in this breach is not continuously re-shared and sold by other entities downstream.
- Check whether your specific QualDerm-affiliated practice has its own notice. Some practices have posted incident pages with additional local detail (specific medical record number ranges, specific treatment-history categories) beyond the corporate-level QualDerm notice.
Frequently asked questions
How do I know if I am a QualDerm patient?
You may not know. Many QualDerm-affiliated practices brand themselves under regional names (Pinnacle, Cumberland, Webster, Pinehurst, etc.) without prominent QualDerm branding. Check whether your billing statements, insurance EOBs, or appointment confirmations reference QualDerm Partners, LLC. The complete affiliate list is at qualderm.com/affiliate-practices.
Why is the breach window so short?
Twenty-four hours is genuinely narrow. The forensic investigation appears to have concluded that the actor entered the network and exfiltrated data within a single day before being detected. Most healthcare breaches involve weeks or months of dwell time. The narrow window suggests the attacker came in with a specific target list rather than performing slow reconnaissance.
Was my Social Security number exposed?
According to QualDerm’s notification letter (verbatim from the California Attorney General filing): no. The breach did not impact Social Security numbers, driver’s license numbers, or financial account information. This is a more limited exposure than many large healthcare breaches.
Should I sue?
At least seven federal class actions have been filed in the Middle District of Tennessee since the February notifications, including Binion v. QualDerm Partners (3:26-cv-00207), Grazioli v. QualDerm Partners (3:26-cv-00210), Darche v. QualDerm Partners (3:26-cv-00217), and others. Consolidation is the expected next step. Multiple plaintiffs’ firms are accepting affected individuals. We are not a law firm and cannot give legal advice.
Is HealthConsent affiliated with QualDerm or any of its practices?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- QualDerm Partners: Notice of Data Privacy Event
- QualDerm Affiliate Practices Directory
- California Attorney General: QualDerm Filing
- California Attorney General: QualDerm Sample Notice
- HIPAA Journal: QualDerm Partners Data Breach
- SecurityWeek: 3.1 Million Impacted by QualDerm Data Breach
- Cybernews: QualDerm Data Breach Affects 3.1 Million Across 17 States
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.