Hackers breached Anne Arundel Dermatology systems for three months, potentially exposing personal and health data of 1.9 million people.
Anne Arundel Dermatology is a physician-owned and managed dermatology group headquartered in Maryland, founded over 50 years ago. It’s one of the largest dermatology providers in the Mid‑Atlantic and Southeastern United States, operating more than 100 clinics across seven states with over 275 clinicians. The practice offers a full spectrum of services including medical, surgical, pediatric, cosmetic, and dermatopathology care.
Anne Arundel Dermatology (AAD) reported a data breach involving unauthorized access to its systems between February 14 and May 13, 2025. After detecting the intrusion, quickly secured its systems and launched an investigation into the incident. The review confirmed that certain data files were accessible to the intruder during that period. On May 20, 2025, AAD determined that some of the compromised files contained personal or health information.
“From the review, we determined on June 27, 2025, that the personal or health information affected may include your.” reads the data breach notification sent to impacted individuals. “While we do not know whether the third party actually viewed or exfiltrated your information, we are sending you this notice as a precaution and to encourage you to take steps to monitor your information. At this time, we are not aware of any misuse of or fraudulent activity relating to anyone’s personal or health information as a result of this incident.”
According to the US Department of Health and Human Services, the Anne Arundel Dermatology data breach impacted more than 1.9 million individuals.
Customers are recommended to remain vigilant for incidents of fraud and identity theft. The organization urges them to regularly view their account statements and monitor their free credit reports.
AAD offers impacted individuals 24 months of identity protection services.
At this time, no known ransomware group has claimed responsibility for the attack.
This week, Stormous ransomware group claimed the theft of personal and health data belonging to 600,000 patients from health provider North Country HealthCare.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Anne Arundel Dermatology)
