QualDerm Partners has confirmed a data breach affecting 1,088,993 individuals following a cybersecurity incident involving unauthorized access to its network environment.
Incident Overview
QualDerm Partners reported that it experienced a cybersecurity incident that involved unauthorized access to its network. The organization identified suspicious activity within its network environment on September 6, 2024. In response, QualDerm Partners took steps to secure its systems and initiated an investigation with the assistance of third party cybersecurity specialists.
The investigation determined that an unauthorized actor accessed certain systems between August 18, 2024 and September 6, 2024. During that period, files were accessed and extracted without authorization. QualDerm Partners conducted a review of the affected data to determine the individuals whose information may have been involved.
On January 24, 2025, QualDerm Partners began providing written notice to impacted individuals in compliance with HIPAA laws. The organization also established a dedicated toll free call center to respond to questions.
Scope of Information Involved
QualDerm Partners reported that the information involved in the incident may have included individuals’ names. The review determined that other data elements may also have been involved, but differs from one individual to the other. The following data elements may have been compromised: addresses, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical information, and medical insurance details.
Organizational Response
QualDerm Partners implemented measures to contain the incident and secure its systems. The organization reported that it reset passwords and enhanced security monitoring following the detection of the suspicious activity. QualDerm Partners also stated that it is reviewing and enhancing its existing security policies and procedures.
The organization indicated that it is offering free credit monitoring and identity protection services to individuals whose Social Security numbers or other sensitive information were involved.
QualDerm Partners filed a notice with the U.S. Department of Health and Human Services Office for Civil Rights indicating that 1,088,993 individuals were affected by the incident.
Regulatory Considerations
The incident involves the unauthorized access and acquisition of protected health information (PHI). Under the HIPAA Breach Notification Rule, HIPAA-certified entities must provide notification to affected individuals without unreasonable delay and no later than 60 days following the discovery of a breach. The HIPAA Breach Notification Rule also requires notifying the U.S. Department of Health and Human Services Office for Civil Rights when a breach affects 500 or more individuals. QualDerm Partners began notifying affected individuals on January 24, 2025.
