QualDerm Partners Data Breach Exposes Personal, Medical, and Insurance Data of Over 3.1 Million Individuals
What Happened – In December 2025, unauthorized actors accessed limited QualDerm Partners systems and exfiltrated personal, medical, and health‑insurance information belonging to 3,117,874 individuals. The breach was discovered on December 24 2025, contained, and a forensic investigation was launched with a third‑party firm.
Why It Matters for TPRM –
- Exposure of protected health information (PHI) creates regulatory (HIPAA) and reputational risk for any organization that relies on QualDerm’s services.
- The scale (>3 M records) amplifies potential downstream attacks such as identity theft, fraud, and credential stuffing against partner networks.
- Third‑party risk assessments must verify that QualDerm implements robust data‑segmentation, encryption, and incident‑response controls.
Who Is Affected – Dermatology clinics, health‑care providers, insurers, and any downstream vendors that integrate with QualDerm’s patient‑record and billing platforms.
Recommended Actions –
- Review contracts and data‑processing addendums with QualDerm for HIPAA‑compliant safeguards.
- Validate that encryption‑at‑rest and in‑transit is enforced for all PHI.
- Request the forensic investigation report and evidence of remediation steps.
- Accelerate monitoring for identity‑theft indicators among affected individuals.
Technical Notes – Attack vector not disclosed; likely unauthorized credential use or exploitation of an internal vulnerability. No specific CVEs were cited. Stolen data includes names, dates of birth, medical diagnoses, treatment histories, health‑insurance details, and occasionally driver‑license numbers. Source: SecurityAffairs