U.S. Dermatology Partners Announce June 2024 Cyberattack & Data Breach
Data breaches have recently been announced by U.S. Dermatology Partners in Texas, the Smith Institute for Urology in New York, Shore Medical Center in New Jersey, Connections for Kids in Maine, and the Missouri Department of Conservation.
U.S. Dermatology Partners, Texas
U.S. Dermatology Partners (USDP), a network of more than 100 dermatology practices in Arizona, Colorado, Kansas, Maryland, Missouri, Oklahoma, Texas, and Virginia, has recently announced a June 2024 cyberattack and data breach. USDP experienced network disruption on June 19, 2024, indicative of a cyberattack. Assisted by third-party digital forensics experts, USDP confirmed that there had been unauthorized access to its network on June 19, 2024, and files were exfiltrated to “an external destination”.
A comprehensive review of those files was completed on April 2, 2025, when it was confirmed that the stolen data included names, dates of birth, medical record numbers, health insurance information, and other information related to the dermatology services received at one of its managed practices. A limited number of individuals also had their Social Security and/or driver’s license numbers stolen. Notification letters started to be mailed to the affected individuals on May 30, 2025, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.
USDP has only released limited information about the data breach, which is not currently showing on the HHS’ Office for Civil Rights data breach portal, nor the website of Texas state attorney general, despite the breach happening over a year ago. Consequently, it is unclear how many individuals have been affected. Since this article was published, Oliver Street Dermatology Management LLC has reported the breach to the HHS’ Office for Civil Rights as affecting 13,717 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Shore Medical Center, New Jersey
Shore Medical Center in New Jersey has confirmed that it has been affected by the data breach at the debt collections agency, Nationwide Recovery Service. Hackers had access to the NRS network between July 5, 2024, and July 11, 2024, and exfiltrated files containing patient information. The affected patients had delinquent accounts that had been sent to NRS for collection. Data compromised in the incident included names, dates of birth, addresses, diagnoses, provider names, dates of service, patient account numbers, medical record numbers, and/or health insurance information, and for certain individuals, Social Security numbers. Shore Medical Center mailed notification letters to the affected individuals on May 23, 2025. According to the HHS’ Office for Civil Rights breach portal, 31,177 individuals were affected.
The Smith Institute for Urology, New York
The Smith Institute for Urology in New York has identified an insider data breach involving unauthorized access to patient files from a legacy practice called New York Urological Associated P.C. The Smith Institute explained that the unauthorized access was detected in February 2025, and on February 14, 2025, it was confirmed that a former employee had impermissibly accessed the patient files between April 2021 and February 2025.
When detected, the Smith Institute immediately terminated the employee’s access to systems, and he was prevented from returning to the premises. The matter was also promptly reported to law enforcement, and the Smith Institute has been cooperating with the law enforcement investigation. The file review confirmed that the data of 2,263 New York Urological Associated patients had been accessed without authorization, including names, birth dates, contact information, diagnoses, treatment information, provider names, and health insurance information, and for certain patients, Social Security numbers. Since the incident was detected, additional technical safeguards have been implemented. The Smith Institute also confirmed that staff members receive annual training on the importance of patient confidentiality and safeguarding health information.
The Missouri Department of Conservation
The Missouri Department of Conservation (MDC) has recently announced that protected health information was compromised in a February 2025 cybersecurity incident involving one of its servers. The incident was detected in February 2025 and was investigated; however, the review did not indicate that any protected health information was accessed in the incident. Further analysis in April confirmed that some of the files on the server did contain the protected health information of current and former beneficiaries of the MDS health benefits plan.
It was not possible to determine exactly what information was affected for each individual, only that the information may have included names, addresses, dates of birth, phone numbers, and email addresses, along with some or all of the following: health benefits plan enrollment information, Social Security numbers, driver’s license numbers, and state ID numbers. MDC has implemented additional safeguards to prevent similar incidents in the future, and the affected individuals have now been notified by mail and offered complimentary credit monitoring services. The HHS’ Office for Civil Rights breach portal indicates 10,260 individuals have been affected.
Connections for Kids, Maine
Connections for Kids, a mental health agency in South Portland, Maine, identified suspicious activity within its email system in March 2025. Steps were immediately taken to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the activity. On April 17, 2025, Connections for Kids confirmed that there had been intermittent access to email accounts by an unauthorized third party between February 14, 2025, and March 13, 2025.
The affected accounts were reviewed, and the data analysis was completed on May 19, 2025. The protected health information of 938 individuals was potentially viewed or acquired, including names, dates of birth, contact information, provider names, dates of service, diagnosis information, treatment information, and health insurance information. Connections for Kids said email security has been strengthened to prevent similar incidents in the future.
