Texas & New Jersey Dermatology Practices Settle Class Action Data Breach Lawsuits
Two U.S. dermatology practices have agreed to settle class action lawsuits stemming from cybersecurity incidents that exposed patient data. The settlements provide cash benefits to class members and credit monitoring and identity theft protection services.
Affiliated Dermatologists & Dermatologic Surgeons Class Action Settlement
Affiliated Dermatologists & Dermatologic Surgeons, a dermatology practice based in Morristown, New Jersey, learned about a cybersecurity incident on March 4, 2025. The forensic investigation determined that an unauthorized third party had access to its computer network from December 19, 2023, to March 5, 2024. The review of the exposed files determined that they contained the protected health information of 373,630 individuals, including names, mailing addresses, birth dates, Social Security numbers, medical treatment information, and health insurance claims information. Compromised employee information includes names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers.
Notification letters were mailed to the affected individuals in late May 2024. Shortly thereafter, class action lawsuits were filed in the Superior Court of New Jersey Law Division for Morris County and the United States District Court for the District of New Jersey. The six class action lawsuits were consolidated – Lepore, et al. v. Affiliated Dermatologists & Dermatologic Surgeons, P.A. – in the Superior Court of New Jersey Law Division for Morris County as they had overlapping claims.
Affiliated Dermatologists & Dermatologic Surgeons deny all claims of wrongdoing and liability and filed a motion to dismiss the consolidated lawsuit. The legal challenge was partially successful, with a judge agreeing to dismiss some of the plaintiffs’ claims; however, the lawsuit was allowed to proceed. Following mediation, all parties reached an agreement on the material terms of a settlement, and after several weeks of negotiations, a settlement was finalized, which has received preliminary approval from the court.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The settlement provides cash payments for class members, which have been capped at an aggregate of $1,000,000. Should the total claims exceed that amount, the cash payments will be reduced pro rata. Class members may submit a claim for reimbursement of up to $5,000 for documented, unreimbursed losses related to the data breach. Alternatively, class members may claim a cash payment, in the preset amount of $40. Regardless of the cash payment chosen, class members are entitled to three years of single-bureau credit monitoring and identity theft insurance services.
The deadline for exclusion from and objection to the settlement is January 31, 2026. The deadline for submitting a claim is February 15, 2026, and the final fairness hearing has been scheduled for March 2, 2026.
U.S. Dermatology Partners Class Action Settlement
U.S. Dermatology Partners, a network of more than 100 dermatology practices in Arizona, Colorado, Kansas, Maryland, Missouri, Oklahoma, Texas, and Virginia, experienced a cyberattack and data breach in June 2024. The incident was detected on June 19, 2024, when network disruption was experienced. The forensic investigation determined that a threat actor exfiltrated files to an external location on June 19, 2024. The file review confirmed that the protected health information of 13,986 individuals was stolen in the incident, including names, dates of birth, medical record numbers, health insurance information, and other information related to the dermatology services received at one of its managed practices. Notification letters were mailed to the affected individuals on May 30, 2025.
On April 27, 2025, a class action lawsuit – Olson v. Oliver Street Dermatology Management LLC d/b/a U.S. Dermatology Partners – was filed in the United States District Court for the Northern District of Texas in response to the data breach. The litigation was determined to be more appropriate for state court and was dismissed and refiled in the appropriate court. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, and unjust enrichment.
While the defendant denies all claims of wrongdoing and liability, all parties ultimately agreed to settle the litigation. Under the terms of the settlement, all class members are entitled to claim two years of credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of lost time and documented losses due to the data breach. The lost time claims have been capped at $80 per class member (up to 4 hours at $20 per hour). Claims for reimbursement of ordinary losses have been capped at $400 per class member, and claims for reimbursement of extraordinary losses have been capped at $4,000 per class member. There is no alternative cash payment.
The deadline for objection to and exclusion from the settlement is February 2, 2026. The deadline for submitting a claim is February 17, 2026, and the final fairness hearing has been scheduled for April 1, 2026.
