Anne Arundel Dermatology and Mountain Laurel Dermatology have started issuing individual notifications about recent security incidents that potentially involved the theft of patient data.
Anne Arundel Dermatology
Anne Arundel Dermatology, a provider of medical, pediatric, surgical, and aesthetic dermatology services in Florida, Georgia, Maryland, North Carolina, Pennsylvania, Tennessee, and Virginia, has recently started notifying patients about a hacking incident earlier this year. A network intrusion was detected on May 13, 2024, and immediate action was taken to secure its systems and prevent further unauthorized access. The forensic investigation confirmed that the unauthorized access lasted for a month, with the initial network breach occurring on February 14, 2025.
On May 20, 2025, it was confirmed that files on the compromised parts of the network contained personal and protected health information. A file review was initiated and concluded on June 27, 2025, confirming that names, addresses, birth dates, medical information, health insurance information, and other personal information had been exposed. It was not possible to determine if any files on the network were viewed or exfiltrated, so notification letters were mailed to all potentially affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months, and data security measures have been enhanced to prevent similar incidents in the future.
State Attorneys General have been notified about the data breach, but the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected. The Anne Arundel Dermatology website lists more than 100 locations in seven states, so the data breach has the potential to be significant. The Texas Attorney General was informed that 1,862 Texans were affected by the breach.
Mountain Laurel Dermatology
Mountain Laurel Dermatology in Asheville, North Carolina, has also announced a hacking incident with similar dates. According to its data breach notice, unusual activity was identified in an external cloud-based network system on May 12, 2025. Those systems were secured, and third-party cybersecurity experts were engaged to investigate the activity, who determined that there may have been unauthorized access or acquisition of files containing sensitive patient data…