Anne Arundel Dermatology Data Breach Affects 1.9 Million Patients
Anne Arundel Dermatology and Mountain Laurel Dermatology have started issuing individual notifications about recent security incidents that potentially involved the theft of patient data. The data breach at Anne Arundel Dermatology is one of the largest of the year, affecting more than 1.9 million individuals.
Anne Arundel Dermatology
Anne Arundel Dermatology, a provider of medical, pediatric, surgical, and aesthetic dermatology services in Florida, Georgia, Maryland, North Carolina, Pennsylvania, Tennessee, and Virginia, has recently started notifying patients about a hacking incident earlier this year. A network intrusion was detected on May 13, 2024, and immediate action was taken to secure its systems and prevent further unauthorized access. The forensic investigation confirmed that the unauthorized access lasted for a month, with the initial network breach occurring on February 14, 2025.
On May 20, 2025, it was confirmed that files on the compromised parts of the network contained personal and protected health information. A file review was initiated and concluded on June 27, 2025, confirming that names, addresses, birth dates, medical information, health insurance information, and other personal information had been exposed. It was not possible to determine if any files on the network were viewed or exfiltrated, so notification letters were mailed to all potentially affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months, and data security measures have been enhanced to prevent similar incidents in the future.
State Attorneys General have been notified along with the HHS’ Office for Civil Rights (OCR). The OCR breach portal indicates that the protected health information of 1,905,000 patients was exposed in the attack, making this one of the largest healthcare data breaches to be reported this year.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This post has been updated since publication to reflect the scale of the breach.
Mountain Laurel Dermatology
Mountain Laurel Dermatology in Asheville, North Carolina, has also announced a hacking incident with similar dates. According to its data breach notice, unusual activity was identified in an external cloud-based network system on May 12, 2025. Those systems were secured, and third-party cybersecurity experts were engaged to investigate the activity, who determined that there may have been unauthorized access or acquisition of files containing sensitive patient data.
The review of the affected files was completed on June 27, 2025, and confirmed that the exposed information included names, dates of birth, Social Security numbers, claim information, billing information, test results, and/or other medical treatment or diagnosis information. Mountain Laurel Dermatology said its electronic medical record system was not involved. Steps have been taken to enhance network security, and notification letters have been issued to the affected individuals. The breach notice makes no mention of credit monitoring or identity theft protection services. The HHS’ Office for Civil Rights breach portal indicates 3.324 individuals were affected.
