Shelby Dermatology Breach Analysis – March 2025
In March 2025, a small Alabama-based dermatology clinic became the latest cautionary tale in a growing wave of healthcare cyberattacks. Shelby Dermatology, a practice with approximately 24 employees, disclosed a significant data breach that ultimately compromised the personal and health information of over 86,000 individuals.
While major hospitals and health systems tend to dominate headlines when breached, this incident underscores a hard truth: small practices are no less vulnerable—and often less prepared—when it comes to cybersecurity threats.
What Happened?
On or around March 7, 2025, Shelby Dermatology—operating under the larger brand name Dermatologists of Birmingham—identified suspicious activity on its network. A forensic investigation was immediately launched and concluded in mid-May, confirming that unauthorized access had occurred.
The breach exposed a wide range of sensitive data, including:
- Names
- Dates of birth
- Social Security numbers
- Contact information (phone, email, addresses)
- Health insurance details
- Medical diagnoses and treatment information
In total, 86,414 individuals were affected. Notification letters were sent beginning in early June, and impacted individuals were offered 12 months of free credit monitoring and identity theft protection through TransUnion.
What This Could Cost Shelby Dermatology
While the full financial fallout from the breach is still unfolding, industry benchmarks allow us to estimate its potential impact. According to IBM’s Cost of a Data Breach Report 2023, the average cost per healthcare record breached is $429. At 86,414 records, that would suggest a theoretical cost exceeding $37 million. However, such estimates reflect large-scale enterprises.
While the following represents a practical cost estimate for smaller practices, it's important to consider that 2025 has marked a trend toward higher settlements due to escalating class-action activity:
| Category | Estimated Cost | |
|---|---|---|
| Investigation & Compliance | $175,000-$225,000 | |
| Credit Monitoring (1yr) | $3-$5 per person = $260,000 - $430,000 | |
| IT Security Upgrades | $50,000-$150,000 | |
| Class-Action & Legal Costs | $500,000-$1,000,000+ | |
| *Estimated Total* | $1.075M-$1.725M |
How Class Actions Influence the Cost
The earlier estimate for Shelby Dermatology included a general allowance of $100K–$500K+ for legal fees, defense costs, and potential settlements. However, given the surge in litigation and precedent-setting payouts, that estimate may lean toward the low end unless a multi-state class is triggered.
Real-world settlement examples:
- Columbus Regional Healthcare faced a $1.1 million settlement for ~100K impacted individuals, including cash payouts and credit monitoring.¹
- Enzo Biochem agreed to a $7.5 million settlement after a healthcare breach, offering up to $10K per person plus credit monitoring.²
While Shelby Dermatology is much smaller, the litigation environment is now more aggressive, especially for breaches involving SSNs and health info.
Conclusion
Shelby Dermatology’s breach highlights the disproportionate risks faced by smaller healthcare providers operating in an increasingly hostile digital environment. With over 86,000 patients impacted, and potential costs exceeding $1.7 million, this incident should motivate every practice to reevaluate their cybersecurity posture—before they find themselves in a similar situation.
References
1. The Sun. Columbus Regional Healthcare data breach settlement. https://www.the-sun.com/news/columbus-breach-settlement
2. Honigman. Enzo Biochem breach class action details. https://www.honigman.com/media/enzo-breach-settlement-2024.pdf
3. IBM Cost of a Data Breach Report 2023. https://www.ibm.com/reports/data-breach
4. U.S. Department of Health and Human Services Breach Portal. https://ocrportal.hhs.gov/ocr/breach
5. Class action notices from Edelson Lechtzin LLP and Shamis & Gentile P.A. https://www.claimdepot.com/investigations/shelby-dermatology-data-breach-2025
