On Feb. 14, 2025, and again on May 13, 2025, Anne Arundel Dermatology, a medical practice specializing in dermatological care, experienced a massive data breach that exposed sensitive information belonging to almost two million patient records. According to official filings, the breach impacted at least 1,862 individuals in Texas alone, with additional affected individuals likely across several states.
The types of information exposed include names, addresses, dates of birth, medical information, health insurance information and other personal details. This incident involved both personally identifiable information (PII) and protected health information (PHI), making it a particularly serious event for those affected.
The breach was reported to the California Attorney General’s office on July 11, 2025, and to the Texas Attorney General’s office on the same day. Vermont authorities were notified on July 14, 2025.
The breach was significant enough to require notification under state data breach laws, and the company has since reached out to affected individuals through U.S. mail and email. The cybersecurity incident was disclosed to the U.S. Department of Health and Human Services on July 11, 2025, reporting 1,905,000 affected individuals.
In response to the breach, Anne Arundel Dermatology has notified affected patients directly by U.S. mail and email, as required by law. The company’s notifications aim to inform individuals about the types of information exposed and to provide guidance on steps to protect themselves. While specific details regarding additional support, such as credit monitoring or identity theft protection, have not been disclosed in public filings, individuals whose information was exposed should remain vigilant.
Those affected are encouraged to:
More information about the practice is available on the Anne Arundel Dermatology website.
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.