QualDerm Partners Data Breach Impacts 3.1 Million Patients

QualDerm Partners, a healthcare management services provider based in Tennessee, reports a massive data breach to the U.S. Department of Health and Human Services affecting over 3.1 million individuals. 

The incident was discovered on December 24, 2025. An attacker gained access to the company's internal network and accessed sensitive electronic protected health information (e-PHI) from patients across 17 states.

The threat actor maintained access to QualDerm's systems for a 48-hour window between December 23 and December 24, 2025. The compromised data includes:

• Full names and home addresses
• Dates of birth and dates of death
• Email addresses
• Medical record numbers and doctor names
• Diagnosis and treatment information
• Health insurance information
• Government-issued identification (e.g., driver’s license numbers)

The number of affected individuals is 3,117,874. The nature of the attack is not diclosed. 

QualDerm hired a third-party cybersecurity forensics firm to investigate the scope of the incident, isolated the affected systems to contain the breach activity and notified federal law enforcement and regulatory agencies. QualDerm is providing 12 months of free identity theft and credit monitoring services and has set up a dedicated assistance line for patient inquiries.