Medical Imaging; Dermatology Practices Announce Data Breaches Impacting 3.3 Million Patients
Two massive data breaches have recently been announced by a dermatology practice and a medical imaging service provider that exposed the protected health information of more than 3.3 million patients. These two security incidents are among the largest healthcare data breaches of 2025.
Anne Arundel Dermatology
On July 11, 2025, Annapolis, MD-based Anne Arundel Dermatology reported a network server hacking incident to the HHS’ Office for Civil Rights (OCR) that potentially involved unauthorized access to the PHI of 1,905,000 individuals.
Anne Arundel Dermatology has more than 100 locations in Maryland, Florida, Georgia, North Carolina, Virginia, Pennsylvania, and Tennessee, and offers medical, surgical, and cosmetic procedures. Suspicious activity was identified within its computer network, and the forensic investigation confirmed that an unauthorized individual had access to its network between February 14, 2025, and May 13, 2025, when the intrusion was detected and blocked.
On May 20, 2025, the investigation confirmed that files on the compromised parts of the network contained patient data, and the review of those files was completed on June 27, 2025. The exposed data included names, addresses, birth dates, medical information, health insurance information, and other sensitive data. The investigation did not determine whether any of that information was accessed or copied from the network, and at the time of issuing notification letters, no evidence had been found to indicate any patient data had been misused. Details of the nature of the breach, such as whether ransomware was used, were not disclosed in the notification letters.
Several class action lawsuits have already been filed by individuals whose sensitive data was exposed. The lawsuits assert a variety of claims, including negligence for failing to keep patient data private and confidential.
Radiology Associates of Richmond
Radiology Associates of Richmond, a provider of medical imaging services at seven central Virginia hospitals and three outpatient imaging centers, reported a network server hacking incident to OCR on July 1, 2025, that involved the PHI of 1,419,091 individuals. An intrusion was detected and blocked on April 6, 2024, and the forensic investigation confirmed unauthorized access to its network between April 2, 2024, and April 6, 2024. Due to the complex nature of the data review, it took until May 2, 2025, to determine the individuals affected and the types of data involved.
Radiology Associates of Richmond recently confirmed that the exposed files contained identifiable protected health and personal information such as names, birth dates, email addresses, account numbers, routing numbers, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any of the exposed information has been or will be misused.
As a precaution against identity theft and fraud, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Several lawsuits have already been filed over the data breach that allege negligence and also take issue with the length of time it has taken to issue breach notification letters.
