Maryland dermatology practice said data breach affected over 1.9 million people

Maryland-based dermatology practice Anne Arundel Dermatology said the data security incident it suffered earlier this year compromised the sensitive personal data of more than 1.9 million individuals.

 

Headquartered in Linthicum Heights, Maryland, Anne Arundel Dermatology is a premium full-service dermatology practice in the area surrounding Annapolis, Maryland.

 

In a data security incident notice, AAD said that on May 13, it detected network intrusion where an unauthorised third party breached its internal network. The dermatology practice immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Our review determined that certain data files were accessible to the unauthorised third party for a period of time. We subsequently performed an assessment of these data files and determined, on May 20, 2025, that some of the files contained certain personal or health information when the unauthorised third party had access to them. Our review indicates that the unauthorised access may have begun on February 14, 2025, and ended on May 13, 2025,” AAD said.

 

The compromised data included names, addresses, dates of birth, medical information, and health insurance information. The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights, where AAD said it has identified at least 1,905,000 individuals impacted by the incident.

 

“After the review, we implemented additional security measures to help further protect against this type of incident going forward,” the dermatology practice said.

 

AAD has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on AAD. The dermatology practice also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.