Active breach tracker Brentwood, TN Disclosed February 22, 2026

QualDerm Partners Data Breach 2026: 3.1M Dermatology Patients Exposed Across 17 States. What Was Stolen and What To Do

The QualDerm Partners data breach disclosed February 2026 exposed personal and medical information for 3,117,874 patients across 158 dermatology practices in 17 states. If you received a notification letter from QualDerm or any of its affiliated practices (Pinnacle Dermatology, Cumberland Skin Surgery, Webster Dermatology, and dozens more), here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 23, 2025

Unauthorized access began

Dec 24, 2025

Anomalous activity detected and contained the same day

Feb 22, 2026

Filed with HHS OCR; individual letters mailed

Feb 25, 2026

First federal class actions filed (M.D. Tenn.)

Mar 24, 2026

Litigation expands; 7+ federal complaints pending

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number Diagnoses Treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Email address Date of death (where applicable) Doctor name Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli Lynch Carpenter Schubert Jonckheer & Kolbe Stueve Siegel Hanson Edelson Lechtzin Levi & Korsinsky Murphy Law Firm Cory Watson
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

QualDerm Partners is a private-equity-backed dermatology platform headquartered in Brentwood, Tennessee. It operates 158 affiliated dermatology and skin care practices across 17 states under dozens of regional brand names. Harvest Partners is the parent private equity firm.

On December 24, 2025, QualDerm detected anomalous activity inside its network. The activity was contained the same day. A third-party cybersecurity forensics firm was engaged to investigate.

The investigation found that an unauthorized actor had access to parts of the network for approximately 24 hours, between December 23 and December 24, 2025, and “removed certain information” before being detected. The intrusion window was unusually narrow compared to most large healthcare breaches.

QualDerm filed with the US Department of Health and Human Services Office for Civil Rights on February 22, 2026, confirming 3,117,874 affected individuals. State attorneys general in California, Oregon, and Texas received parallel filings. Texas confirmed 174,837 Texas residents in the affected pool.

QualDerm has not attributed the intrusion to any named threat actor. No ransom has been disclosed and no data has been observed on dark web leak sites tied to the QualDerm compromise.

What was stolen

The notification letter (per the sample filed with the California Attorney General) confirms that the compromised data may have included:

  • Full name
  • Email address
  • Date of birth
  • Date of death (where applicable)
  • Doctor name
  • Medical record number
  • Diagnoses
  • Treatment information
  • Health insurance information

QualDerm’s notice explicitly states the breach did not impact Social Security numbers, driver’s license numbers, or financial account information. That is a meaningful distinction from many other healthcare breaches: identity-theft risk is real but more limited, while medical-identity-theft risk (someone using your dermatology insurance benefits, or your diagnosis data being sold downstream) is the primary exposure.

Note that QualDerm’s affiliated practices treat skin-cancer patients, biopsy patients, cosmetic-procedure patients, and Mohs-surgery patients. The “treatment information” category includes the diagnoses associated with those procedures, which are often sensitive and not the kind of data a credit-monitoring service can help protect.

Who is affected (affiliated practice brands)

QualDerm’s affiliated practices operate under many regional brand names. If you received care at any of the following, your records may have been in the compromised system:

Tennessee (HQ region): Brentwood Dermatology · Cumberland Skin Surgery & Dermatology · Mid TN Skin Surgery and Dermatology · Synergy Plastic Surgery · Tru-Skin Dermatology

Multi-state regional brands: Pinnacle Dermatology · Webster Dermatology · Dermatology Affiliates · Dermatology of Athens · New Horizons Center for Cosmetic Surgery · Dermatology Associates & Surgery Center (Hagerstown) · Omni Cosmetic · Brassfield Dermatology · Dermatology Specialists of Charlotte · Lupton Dermatology · Pinehurst Dermatology & Mohs Surgery Center · Riva Dermatology · SeaCoast Skin Surgery · The Dermatology and Skin Surgery Center (Creedmoor and Wilmington locations) · The Laser Institute of Pinehurst · The Skin Surgery Center · Macaione & Papa Dermatology Associates

Ohio: Advanced Dermatology of North Central Ohio · Andrew Quillin Dermatology · Barrett & Geiss Dermatology · Blodgett Dermatology · Center for Surgical Dermatology & Dermatology Associates · Dermatology & Aesthetic Care · Dermatology of Central Ohio · Dermatology of Southeastern Ohio · Westerville Dermatology

Pennsylvania: Bikowski Skin Care Center · Keystone Dermatology Partners · King-Maceyko Dermatology · North Hills Center for Dermatology · Pittsburgh Dermatology & Skin Cancer Center · Rencic Dermatology · Scott J. M. Lim, DO · Zitelli, Brodland & Lim Skin Cancer Center

Other states: The Skin Surgery Center at Charleston · Tru-Skin Dermatology

A current and complete list lives at qualderm.com/affiliate-practices. If your provider is not on the list above but you received QualDerm-branded billing or insurance correspondence, you should treat yourself as potentially affected and watch your mail for a notification letter.

What QualDerm is offering

Affected individuals are being directed to enroll in 12 months of complimentary single-bureau credit monitoring through Cyberscout (a TransUnion company). The package includes credit report, credit score, cyber monitoring, and identity-theft protection services.

  • Enrollment: bfs.cyberscout.com/activate (you will need the activation code from your notification letter)
  • Assistance line: 1-855-522-4707, Monday to Friday, 8 a.m. to 8 p.m. Eastern

Credit monitoring helps catch identity theft signals on the credit-report side. It does not address the dermatology-specific concerns: someone using your insurance to obtain skin-cancer treatment, your diagnosis information being sold to data brokers, or your dermatology-treatment history being included in profile-building by ad-tech platforms.

What to do if you received a notification letter

This week:

  1. Activate the Cyberscout monitoring through the link in your letter. Twelve months is the standard offer; use the full window.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion as a baseline. Even though SSN was not exposed, this is a low-cost defensive move.
  3. Review your insurance Explanation of Benefits statements for any dermatology, biopsy, or skin-procedure claims you do not recognize. This is the earliest sign of medical identity theft.
  4. Review email inbox security. Email addresses were exposed, so phishing attempts using your QualDerm affiliate’s name are a likely follow-on attack.

This month:

  1. Stop the ongoing flow of your dermatology data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the diagnosis and treatment data exposed in this breach is not continuously re-shared and sold by other entities downstream.
  2. Check whether your specific QualDerm-affiliated practice has its own notice. Some practices have posted incident pages with additional local detail (specific medical record number ranges, specific treatment-history categories) beyond the corporate-level QualDerm notice.

Frequently asked questions

How do I know if I am a QualDerm patient?

You may not know. Many QualDerm-affiliated practices brand themselves under regional names (Pinnacle, Cumberland, Webster, Pinehurst, etc.) without prominent QualDerm branding. Check whether your billing statements, insurance EOBs, or appointment confirmations reference QualDerm Partners, LLC. The complete affiliate list is at qualderm.com/affiliate-practices.

Why is the breach window so short?

Twenty-four hours is genuinely narrow. The forensic investigation appears to have concluded that the actor entered the network and exfiltrated data within a single day before being detected. Most healthcare breaches involve weeks or months of dwell time. The narrow window suggests the attacker came in with a specific target list rather than performing slow reconnaissance.

Was my Social Security number exposed?

According to QualDerm’s notification letter (verbatim from the California Attorney General filing): no. The breach did not impact Social Security numbers, driver’s license numbers, or financial account information. This is a more limited exposure than many large healthcare breaches.

Should I sue?

At least seven federal class actions have been filed in the Middle District of Tennessee since the February notifications, including Binion v. QualDerm Partners (3:26-cv-00207), Grazioli v. QualDerm Partners (3:26-cv-00210), Darche v. QualDerm Partners (3:26-cv-00217), and others. Consolidation is the expected next step. Multiple plaintiffs’ firms are accepting affected individuals. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with QualDerm or any of its practices?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.