U.S. Dermatology Partners Patients Get Cash Payments After June 2024 Ransomware Attack Exposed Medical Records

ByAll About Lawyer Reading Time: 13 minutes

U.S. Dermatology Partners (OSDM) reached a class action settlement following a June 2024 ransomware attack that exposed patient names, dates of birth, Social Security numbers, medical records, and health insurance information. Affected patients can file claims for cash compensation and receive free credit monitoring.

The BlackBasta ransomware group claimed responsibility for the cyberattack on June 19, 2024, which compromised sensitive patient information. The lawsuit alleges U.S. Dermatology Partners failed to implement adequate cybersecurity measures to protect patient data.

This Affects You If You Were a U.S. Dermatology Partners Patient

This affects you if you were a patient at any U.S. Dermatology Partners location and received a data breach notification letter in May 2025 or later. Understanding this settlement matters because your Social Security number, medical records, and health insurance information may have been stolen by cybercriminals during the BlackBasta ransomware attack. This puts you at serious risk for identity theft, medical identity fraud, and financial fraud that could affect you for years.

The settlement provides cash compensation for time spent addressing the breach, higher payments for documented losses like identity theft expenses, and free credit monitoring services—but only if you file your claim before the deadline.

What Happened in the U.S. Dermatology Partners Data Breach

The June 2024 Ransomware Attack

On June 19, 2024, U.S. Dermatology Partners experienced a network disruption when an unauthorized party accessed the company’s computer systems. External forensic experts determined that hackers infiltrated the network and transferred patient files to an external destination on the same day.

The ransomware group BlackBasta claimed responsibility for the attack and threatened to publish the stolen data on the dark web. The breach affected patients across U.S. Dermatology Partners’ network of over 100 dermatology practices in Arizona, Colorado, Kansas, Maryland, Missouri, Oklahoma, Texas, and Virginia.

U.S. Dermatology Partners completed a comprehensive review of the compromised files on April 2, 2025—nearly 10 months after the attack occurred. The company began mailing breach notification letters to affected patients on May 30, 2025.

What Patient Information Was Exposed

The June 2024 data breach potentially exposed highly sensitive patient information including names, dates of birth, medical record numbers, health insurance information, diagnosis and treatment information, prescription information, and information related to dermatology services received at U.S. Dermatology Partners practices.

For a limited number of patients, Social Security numbers and driver’s license numbers were also contained in the compromised files. The breach affected approximately 13,717 individuals according to reports submitted to the HHS Office for Civil Rights.

The Lawsuit’s Allegations

The class action lawsuit filed in the 44th District Court of Dallas County, Texas (Case No. DC-25-12249) alleges that U.S. Dermatology Partners failed to implement reasonable cybersecurity measures to protect patient data from unauthorized access.

Plaintiffs claim the company lacked adequate encryption of sensitive patient information, had insufficient access controls and authentication systems, failed to conduct proper security risk assessments, had inadequate employee training on data security, lacked proper incident response and breach detection systems, and failed to timely detect and respond to the cyberattack.

The lawsuit further alleges violations of HIPAA Security Rule requirements, negligence in protecting patient data, breach of fiduciary duty to patients, and violation of state data breach notification laws due to delayed notification.

Pro Tip: Even if you haven’t experienced identity theft yet, file a claim immediately. Data stolen in the June 2024 breach is circulating on the dark web where criminals can use it for years. The settlement provides compensation for your time spent addressing the breach and offers free credit monitoring to help detect fraud early.

Related Article: Rheem Water Heater Defective Drain Valve Class Action Settlement, Claim Up to $1,500 Available for Owners

U.S. Dermatology Partners Patients Get Cash Payments After June 2024 Ransomware Attack Exposed Medical Records

What the Settlement Provides

Cash Payment Options

The settlement offers multiple forms of compensation for affected patients. While the exact settlement fund amount has not been publicly disclosed, affected patients can claim payments based on their circumstances.

Ordinary Claims: Patients who spent time addressing the data breach can file ordinary claims for time-based compensation. This typically compensates you for hours spent monitoring accounts, placing fraud alerts, reviewing credit reports, and dealing with breach-related issues. Ordinary claims in similar healthcare data breach settlements typically pay $25 to $100 without requiring extensive documentation.

Extraordinary Claims: Patients who suffered documented out-of-pocket losses related to the breach can file extraordinary claims for reimbursement. Eligible expenses include credit monitoring services purchased, identity theft resolution services, fraudulent charges not reimbursed by your bank or credit card company, accountants’ or attorneys’ fees related to identity theft, costs of placing or lifting credit freezes, and time spent at a reasonable hourly rate resolving breach-related issues with documentation.

Extraordinary claims in recent data breach class action settlements typically allow reimbursement up to $2,500 to $10,000 depending on documented losses.

Free Credit Monitoring Services

All settlement class members are eligible to enroll in free credit monitoring and identity theft protection services. U.S. Dermatology Partners is offering complimentary credit monitoring to patients whose Social Security numbers or driver’s license numbers were involved in the breach.

The credit monitoring services typically include monitoring of credit files at major credit bureaus, dark web monitoring for personal information, identity theft insurance coverage, and fraud resolution assistance if you become a victim of identity theft.

Enhanced Security Measures

While the settlement agreement details have not been fully disclosed, settlements in similar medical data breach cases typically require healthcare providers to implement enhanced cybersecurity measures including stronger encryption of patient data, improved access controls and multi-factor authentication, regular security risk assessments and audits, enhanced employee training on cybersecurity, improved incident detection and response systems, and compliance monitoring for a specified period.

Who Is Eligible and How to File a Claim

Class Definition

The settlement class includes all individuals in the United States whose personal information was potentially compromised in the U.S. Dermatology Partners data security incident that occurred in June 2024. This includes anyone who received a written breach notification letter from U.S. Dermatology Partners stating their information may have been affected.

Excluded from the class are persons who timely and validly request exclusion, the judge and court staff assigned to the case, U.S. Dermatology Partners’ officers and directors, and anyone found guilty of initiating or aiding the criminal activity that caused the breach.

How to File Your Claim

Visit the official settlement website at osdmdatasettlement.com to access the claim form and settlement documents.

You can file your claim online at osdmdatasettlement.com/form/claim or download claim documents fromosdmdatasettlement.com/documents to print, complete, and mail.

To file, you’ll need to provide basic information to verify you’re a class member including your name, address, dates you were a U.S. Dermatology Partners patient, and the breach notification letter you received.

For Ordinary Claims: You’ll need to submit a declaration that you spent time addressing the data breach. Describe the actions you took, such as monitoring accounts, reviewing credit reports, placing fraud alerts, or contacting financial institutions.

For Extraordinary Claims: You must provide documentation to prove your out-of-pocket losses. Acceptable documentation includes receipts for credit monitoring services, bank statements showing fraudulent charges, invoices from identity theft resolution services, police reports for identity theft, correspondence with creditors or banks, time logs documenting hours spent with supporting evidence, and a declaration under penalty of perjury that your information is true.

Critical Deadlines

The specific claim filing deadline, objection deadline, and opt-out deadline will be announced on the settlement website and in notices mailed to class members. Claim deadlines in class action settlements typically fall 90-120 days after preliminary approval or notice mailing.

The court has not yet announced the final approval hearing date. Check osdmdatasettlement.com regularly for updated deadline information.

What Happens Next

After you file your claim, the settlement administrator will review it for completeness and supporting documentation. The administrator will verify your eligibility using U.S. Dermatology Partners’ patient records and the information you provide.

Payments will be distributed after the court grants final approval to the settlement and any appeals are resolved. This typically takes 6-12 months after the claim deadline, meaning eligible patients can expect payments sometime in 2026 or early 2027 depending on when deadlines are set and final approval is granted.

Understanding Healthcare Data Breach Laws

What HIPAA Requires

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires healthcare providers to implement safeguards to protect electronic protected health information (ePHI). These requirements include administrative safeguards such as security risk assessments, security policies and procedures, workforce training on data security, and incident response plans.

Physical safeguards require facility access controls, workstation and device security, and policies for physical access to electronic information systems. Technical safeguards mandate encryption and decryption of ePHI, access controls limiting who can view patient data, audit controls tracking who accessed what data, and transmission security when sending ePHI electronically.

The HIPAA Breach Notification Rule requires healthcare providers to notify affected patients within 60 days of discovering a breach affecting 500 or more individuals. The 10-month delay between the June 19, 2024 attack and the May 30, 2025 notification letters raises questions about whether U.S. Dermatology Partners complied with federal notification requirements.

Your Rights as a Patient

As a patient whose information was compromised, you have important legal rights. You have the right to receive timely notification of data breaches affecting your health information. You have the right to know what specific information was compromised in the breach. You have the right to receive free credit monitoring and identity theft protection services when sensitive data like Social Security numbers is exposed.

You have the right to file a complaint with the HHS Office for Civil Rights about HIPAA violations. You can report healthcare data breaches to the OCR at hhs.gov/ocr/complaints. You have the right to sue healthcare providers for damages resulting from negligent data security practices.

You have the right to place fraud alerts and credit freezes with the three major credit bureaus (Equifax, Experian, TransUnion) to prevent identity theft. You have the right to obtain free credit reports to monitor for suspicious activity.

Common Breach Risks

The exposure of your Social Security number, medical records, and health insurance information creates several serious risks. Identity theft using your SSN and personal information can allow criminals to open fraudulent credit accounts, apply for loans in your name, or file fake tax returns to steal your refund.

Medical identity fraud using your health insurance and medical records can result in criminals obtaining medical services using your insurance, creating fraudulent medical bills in your name, or altering your medical records with incorrect information that could affect your future care.

Financial fraud using your bank account or credit card information can lead to unauthorized charges or withdrawals. Tax fraud using your Social Security number can result in criminals filing fake tax returns to claim your refund before you file.

Phishing scams often target data breach victims. Be extremely wary of unsolicited emails, calls, or texts claiming to be from U.S. Dermatology Partners, the settlement administrator, or government agencies asking for personal information.

Your Rights and Options Under the Settlement

Accept the Settlement

If you file a claim by the deadline, you’ll receive compensation and remain a class member. By accepting the settlement, you release all claims against U.S. Dermatology Partners related to the June 2024 data breach. This means you cannot sue the company individually for the same breach.

This is the simplest option for most patients and ensures you receive compensation for the breach harm.

Object to the Settlement

If you think the settlement amount is inadequate or the terms are unfair, you can file a written objection with the court by the objection deadline. You can attend the final approval hearing to voice your concerns.

Even if you object, you’re still bound by the settlement if the court approves it—unless you also opt out.

Opt Out

You can exclude yourself from the settlement entirely by sending a written opt-out request by the opt-out deadline. Opting out preserves your right to sue U.S. Dermatology Partners individually.

However, if you opt out, you receive nothing from this settlement. Opting out only makes sense if you have significant individual damages—like $10,000+ in identity theft losses—worth pursuing separately with your own attorney.

Do Nothing

If you take no action, you get nothing but are still bound by the settlement and release your claims. This is the worst option—you give up your legal rights to sue U.S. Dermatology Partners over this breach without receiving any compensation.

What to Do If You’re Affected

Immediate Steps

Locate your breach notification letter from U.S. Dermatology Partners that you received in May 2025 or later. This proves you’re a class member.

Visit osdmdatasettlement.com for official settlement information and the claim form.

Gather documentation of any out-of-pocket expenses related to the breach including receipts for credit monitoring services, bank statements showing fraudulent charges, credit card statements with unauthorized transactions, invoices from identity theft resolution services, police reports if you filed one for identity theft, time logs documenting hours spent addressing the breach, and correspondence with creditors, banks, or credit bureaus.

Decide whether to file an ordinary claim for time spent or an extraordinary claim for documented losses. You can only choose one type of claim, so calculate which provides more compensation based on your situation.

File your claim before the deadline. Don’t wait until the last minute—technical issues or mail delays could cause you to miss out.

Enroll in the free credit monitoring offered through the settlement if your Social Security number or driver’s license number was involved.

Protecting Yourself from Identity Theft

Take immediate protective steps to safeguard your identity. Review your credit reports from all three major credit bureaus for suspicious activity. You’re entitled to free weekly credit reports at AnnualCreditReport.com.

Place fraud alerts on your credit reports with Equifax, Experian, and TransUnion by calling any one of the three bureaus. A fraud alert tells creditors to verify your identity before opening new accounts.

Consider placing a credit freeze on your credit files to prevent criminals from opening new accounts in your name. Freezes are free and you can lift them when needed.

Monitor your bank and credit card statements closely for unauthorized transactions. Report suspicious charges immediately to your financial institution.

Watch for medical identity fraud by reviewing your Explanation of Benefits statements from your health insurer. Look for medical services you didn’t receive or providers you’ve never visited. Check your medical records for inaccuracies that could indicate someone else used your identity.

File an identity theft report with the FTC at IdentityTheft.gov if you discover fraud. The FTC provides a recovery plan and affidavit you can use when disputing fraudulent accounts.

Change passwords for online accounts, especially healthcare portals, financial accounts, and email. Use strong, unique passwords for each account. Enable multi-factor authentication on all accounts that offer it.

Be extremely alert for phishing emails or calls. Criminals often target data breach victims with scams pretending to be from the company, settlement administrator, or government agencies. Never click suspicious links or provide personal information to unsolicited contacts.

Long-Term Vigilance

Continue monitoring your credit regularly even after the free credit monitoring period ends. Identity theft can occur months or even years after a data breach.

Review your medical records annually to ensure accuracy. Medical identity fraud can go undetected for long periods.

Keep detailed documentation of all breach-related expenses and time spent. If you experience identity theft later that you can trace to this breach, you may have options for additional recovery.

If you experience significant identity theft years from now that appears related to the U.S. Dermatology Partners breach, document all losses carefully and consult a data breach or privacy attorney about your options.

Where to Get More Information

Settlement Website: osdmdatasettlement.com
 Claim Form: osdmdatasettlement.com/form/claim
 Settlement Documents: osdmdatasettlement.com/documents

For questions about the settlement, check the settlement website for contact information for the settlement administrator.

HIPAA Resources:
HHS Office for Civil Rights: hhs.gov/ocr
 File HIPAA Complaint: hhs.gov/ocr/complaints

Identity Theft Resources:
Federal Trade Commission: IdentityTheft.gov
 Free Credit Reports: AnnualCreditReport.com

Credit Bureau Fraud Alerts:
Equifax: 1-800-525-6285
Experian: 1-888-397-3742
TransUnion: 1-800-680-7289

Frequently Asked Questions

How much money will I get from this settlement?

Payment amounts depend on the settlement fund size and the number of claims filed. Ordinary claims for time spent typically pay $25 to $100 without extensive documentation. Extraordinary claims with documented losses can provide reimbursement up to $2,500 to $10,000 depending on your actual expenses.

When is the deadline to file my claim?

The specific claim deadline will be announced on the settlement website at osdmdatasettlement.com and in notices mailed to affected patients. Claim deadlines typically fall 90-120 days after preliminary approval or notice mailing.

What patient information was exposed in the breach?

The breach exposed names, dates of birth, medical record numbers, health insurance information, diagnosis and treatment information, and dermatology services information. For some patients, Social Security numbers and driver’s license numbers were also compromised.

Am I eligible for the settlement?

You’re eligible if you were a patient at any U.S. Dermatology Partners location and your personal information was compromised in the June 2024 data breach. If you received a breach notification letter from U.S. Dermatology Partners in May 2025 or later, you qualify.

How do I file a claim?

Visit osdmdatasettlement.com/form/claim to file online, or download claim forms from osdmdatasettlement.com/documents to print and mail. You’ll need your breach notification letter and documentation of any losses you’re claiming.

Did U.S. Dermatology Partners admit to security failures?

No. U.S. Dermatology Partners denies all allegations of wrongdoing and maintains it committed no violations. The company agreed to the settlement to avoid the cost and uncertainty of continued litigation.

What security improvements is U.S. Dermatology Partners making?

U.S. Dermatology Partners stated it has implemented additional measures to strengthen the security of its information technology systems and patient data. Specific details about enhanced security measures will be outlined in the final settlement agreement.

Last Updated: January 14, 2026 — We keep this current with the latest legal developments.

Disclaimer: This article provides information about the U.S. Dermatology Partners data breach class action settlement based on publicly available court documents, settlement notices, and the official settlement website at osdmdatasettlement.com. It is not legal advice, and AllAboutLawyer.com does not provide legal services. If you have specific legal questions about the settlement or your rights as a patient, consult a qualified attorney. Information is based on publicly available documents and may change as the case proceeds.

Take Action Now: Don’t leave money on the table. Visit osdmdatasettlement.com to check for deadline updates and file your claim. Even if you haven’t experienced identity theft yet, you’re entitled to compensation for time spent addressing this breach, and filing takes just minutes online.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *