The Breach Happened in February 2025. Patients Are Just Hearing About It Now.

John Z Black Apr 14, 2026 Incidents & Breaches #dermcare #healthcare #data-breach #hipaa #practice-management #patient-data

The breach at DermCare Management happened between February 14 and February 26, 2025. They confirmed it on March 2, 2026. Patients are receiving notifications right now, in April 2026.

That’s 13 months.

DermCare doesn’t treat patients. It runs the administrative layer for multiple dermatology practices: scheduling, billing, records. When that layer gets breached, every practice on the platform gets hit at once. Patients generally have no idea their data even lives there.

What was exposed: names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account details, and medical records. That’s not a minor data exposure. That’s a complete identity theft package.

Two law firms are already investigating for class action. That won’t un-expose the data that’s been sitting in unknown hands for over a year.

DermCare isn’t unique here. Specialty practice management companies run this same shared-infrastructure model across dentistry, behavioral health, optometry. The economics make sense until the breach happens. Then every practice on the platform finds out at once.

What the DermCare breach reveals about the hidden risk of practice management vendors