Anne Arundel Dermatology has agreed to pay $2,400,000 to settle a consolidated class action lawsuit related to a cybersecurity incident that exposed its network to unauthorized access for three months in 2025.
Incident Timeline
Anne Arundel Dermatology found suspicious activity within its computer network on May 13, 2025. A forensic investigation confirmed that an unauthorized third party had access between February 14, 2025, and May 13, 2025. It cannot be ascertained if the threat actor access or exfiltrated patient data. The HIPAA-covered entity sent breach notification letters to 1,905,000 current and former patients who may have been affected.
Data Potentially Compromised
Information that may have been exposed included: names , birth dates, addresses , medical information, medical insurance information, and other personal information.
Litigation Background
Anne Arundel Dermatology faced 21 class action lawsuits because of the data incident. The lawsuits were consolidated into just one — In Re Anne Arundel Data Breach Lawsuit was filed in the U.S. District Court for the District of Maryland. The consolidated lawsuit alleged that Anne Arundel Dermatology failed to keep sensitive data secure and failed to implement reasonable cybersecurity measures. Claims included negligence, breach of fiduciary duty, breach of contract, intentional invasion of privacy, and unjust enrichment. Anne Arundel Dermatology denied all allegations of wrongdoing, fault, and liability.
Settlement Terms
Class counsel pursued early resolution through mediation. The settlement has been finalized and received preliminary court approval. A final fairness hearing is scheduled for July 16, 2026.
Anne Arundel Dermatology will create a settlement fund amounting to $2.4 million. Payments will be deducted from the fund to cover attorneys’ fees and expenses, notification costs, settlement administration costs, and class representatives’ service awards. The remaining funds will be paid for class members’ benefits.
Class Member Benefits
Class members are eligible for:
– A three-year membership to the CyEx Medical Shield Complete product, which provides medical data monitoring.
– One of two cash payment options:
– Up to $5,000 reimbursement of documented, unreimbursed losses due to the breach per class member.
– An alternative pro rata cash payment, valued at $100, subject to change according to the number of valid claims.
The last day to opt out or object to the settlement is June 9, 2026. Claims must be filed by July 8, 2026.
