Data Breaches Announced by Shelby Dermatology & Northwestern Community Services Board
Data breaches have been announced by Shelby Dermatology in Alabama and the Northwestern Community Services Board in Virginia. The protected health information of more than 108,000 individuals was compromised across the two incidents.
Dermatologists of Birmingham (Shelby Dermatology)
Shelby Dermatology, doing business as Dermatologists of Birmingham in Alabama, has discovered that the protected health information of 86,414 patients has been exposed and may have been obtained by hackers. Suspicious network activity was identified by Dermatologists of Birmingham on or around March 7, 2025. An investigation was launched to identify the cause, scope, and nature of that activity, with assistance provided by third-party forensics specialists.
The investigation confirmed that an unauthorized third party had accessed its network and potentially obtained sensitive patient information. A comprehensive review was conducted of all exposed files, and that process was completed on May 15, 2025. Dermatologists of Birmingham said the types of data involved vary from individual to individual and may include patient names along with one or more of the following: address, email address, phone number, date of birth, medical diagnosis, treatment information, and health insurance information. A limited subset of individuals also had their Social Security numbers exposed. Individual notification letters were mailed to the affected individuals in early June, and complimentary credit monitoring and identity theft protection services have been offered for 12 months.
Northwestern Community Services Board
Northwestern Community Services Board, a provider of behavioral healthcare services in Virginia, has experienced a cyberattack that involved unauthorized access to the protected health information of 21,856 individuals. The attack was identified on August 8, 2024, when unauthorized network activity was confirmed. Third-party cybersecurity experts were engaged to assist with the investigation and mitigation of the incident and confirmed that patient data had potentially been stolen.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The analysis of the affected data has recently been completed, and notification letters are being sent to the affected individuals. The types of data compromised in the incident include names, medical histories, treatment information, health insurance information, and financial information. The substitute breach notice on the website of the Northwestern Community Services Board states, “There is no indication that any information has been fraudulently misused at this time or will be in the future,” and that, “in an abundance of caution, Northwestern Community Services Board is notifying potentially impacted individuals of this incident.”
While not stated in the notification letters, this appears to have been a ransomware attack by the Black Suit ransomware group, which claims on its dark web data leak site that 34 GB of data was stolen, spread across 36,045 files and 9,110 directories.
