apderm.com Data Breach
APDerm Dermatology Practice Network Breach (2025): Patient SSN Exposed
Dermatology practice management group and skin care provider.
Risk Interpretation
High risk of identity theft, medical fraud, and privacy harm tied to specialty treatment data. Networked practices also create broader scale for phishing and insurance abuse.
Impact & Downstream Threats
APDerm faces significant institutional exposure given its network scale and the prior HIPAA enforcement history. Federal HIPAA notification obligations, an Office for Civil Rights review, multistate attorney-general filings, and active class-action investigations create a substantial compliance and litigation pipeline. The 2014 photocopier-breach settlement establishes that HHS has a documented enforcement relationship with the practice, which can affect how regulators view subsequent incidents.
- Identity theft and synthetic identity construction using government-issued IDs
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
APDerm, the New England-based dermatology practice management network operating Adult & Pediatric Dermatology, P.C., and a portfolio of affiliated brands, was named on August 19, 2025 as a victim of the Qilin ransomware operation. The threat actor listed APDerm on its dark-web leak site, and the breach surfaced publicly through dark-web monitoring services in December 2025. Class-action investigations by U.S. plaintiff law firms began organizing shortly afterward.\n\nThe breach affected approximately 28,000 individuals. Compromised fields in the public disclosure included email addresses, phone numbers, and Social Security numbers. As a multi-brand dermatology practice network, the underlying records exfiltrated by the attackers also include identity, insurance, billing, and dermatologic diagnostic and treatment information typical of a specialty healthcare provider, beyond the more limited field set surfaced publicly.\n\nFor affected patients, the practical risk profile combines identity-fraud exposure with dermatology-specific risks. The combination of name, phone number, and Social Security number is a strong base for synthetic identity fraud, fraudulent credit applications, and identity-verification bypass. Inclusion in the dataset confirms the existence of a dermatology care relationship with one of the APDerm brands, which can support medical-themed scams referencing real treatments, biopsies, or insurance claims. Patients of pediatric dermatology services are a particular concern because children's identity data is durably exposed and is often the basis for child-identity fraud that can go undetected for years. Affected patients should freeze credit at all three U.S. bureaus, monitor health-insurance statements, and treat unsolicited contact referencing APDerm or any partner brand with caution.
About apderm.com
APDerm, formally Adult & Pediatric Dermatology, P.C., is a U.S.-based dermatology practice management group headquartered in Acton, Massachusetts. Founded in 1992 and backed by private equity firm Waud Capital Partners, APDerm operates as a network of physician-led dermatology practices across New England, with clinical locations spread across Massachusetts and New Hampshire. The network includes more than a dozen partner brands such as Adult & Pediatric Dermatology, Boston Dermatology and Laser Center, Mystic Valley Dermatology Associates, Coastal Dermatology, and Pioneer Valley Dermatology. Across the network, APDerm provides medical, surgical, cosmetic, and pediatric dermatology services. As a HIPAA-covered specialty healthcare network, APDerm holds substantial volumes of protected health information including patient identity, insurance, billing, diagnostic, and dermatologic treatment records.
Why They Hold Your Data
Dermatology practice networks collect patient identity, contact, insurance, billing, appointment, and treatment records across multi-location specialty care operations.
Recent Developments
APDerm was named on August 19, 2025 as a victim of the Qilin ransomware operation, with the breach surfacing publicly on dark-web monitoring sites in December 2025. The practice has not extensively detailed the incident in public statements as of this writing. U.S. plaintiff law firms began organizing class-action investigations following the December 2025 surfacing. APDerm has a separate prior history with HIPAA enforcement: the practice paid a $150,000 settlement to the U.S. Department of Health and Human Services in 2013–2014 over an unrelated photocopier-disposal breach involving 2,200 individuals. The 2025 incident is a distinct event involving a different threat-actor pathway.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, phone_number, ssn
Dark Web Verification
- Dataset containing ~28K records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: apderm-com-2025
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of apderm.com
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam