Franklin Dermatology Group Data Breach Affects 2,457 Patients in Tennessee

On September 11, 2025, Franklin Dermatology Group, PLC in Tennessee reported a significant data breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. The incident, which involved a hacking attack on the organization's network server, compromised the protected health information (PHI) of 2,457 individuals.

What Happened

Franklin Dermatology Group experienced a cybersecurity incident that targeted their network server infrastructure. According to the breach notification letter signed by Dr. Charity Foster McConnell, MD, the attack specifically compromised systems containing protected health information (PHI) of current and former patients, as well as guarantors associated with the practice.

The breach was classified as a hacking/IT incident and involved the organization's network server systems. Importantly, a business associate was also involved in this incident, highlighting the complex web of data relationships in modern healthcare operations.

While the exact timeline of when the breach occurred remains unclear from available information, Franklin Dermatology Group reported the incident to federal authorities on September 11, 2025, in compliance with HIPAA breach notification requirements under 45 CFR §164.408.

Who Is Affected

The data breach impacted 2,457 individuals who were current or former patients of Franklin Dermatology Group, or served as guarantors for patient accounts. All affected individuals should have received direct notification from the practice via mail, as required by HIPAA regulations.

Patients of Dr. Charity Foster McConnell, MD, and other medical providers at Franklin Dermatology Group are among those affected. The breach notification specifically mentions that recipients are receiving letters because they have an established patient or guarantor relationship with the dermatology practice.

Breach Details

Franklin Dermatology Group, PLC operates as a healthcare provider in Tennessee, specializing in dermatological services. The breach details include:

• Entity Type: Healthcare Provider
• Location: Tennessee
• Individuals Affected: 2,457
• Breach Classification: Hacking/IT Incident
• Systems Compromised: Network Server
• Business Associate Involvement: Yes
• Reporting Date: September 11, 2025

The involvement of a business associate in this incident is particularly significant, as it demonstrates how third-party relationships can create additional vulnerability points in healthcare data security. Under HIPAA regulations, healthcare providers must ensure that business associates implement appropriate safeguards to protect PHI.

What This Means for Patients

When a healthcare provider experiences a data breach involving PHI, patients face several potential risks:

Identity Theft Risks

Compromised health information often includes sensitive personal identifiers such as Social Security numbers, dates of birth, addresses, and insurance information. Cybercriminals can use this data to commit identity theft or medical identity theft.

Medical Identity Theft

Unique to healthcare breaches, medical identity theft occurs when criminals use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims. This can result in incorrect information being added to victims' medical records.

Financial Fraud

Insurance information and payment details compromised in the breach could be used for financial fraud, including filing false insurance claims or accessing healthcare services under victims' identities.

Privacy Violations

Sensitive medical information about dermatological conditions, treatments, and diagnoses may have been exposed, representing a significant invasion of privacy for affected patients.

How to Protect Yourself

If you're among the 2,457 individuals affected by the Franklin Dermatology Group breach, take these immediate protective steps:

Monitor Financial Accounts

• Review bank and credit card statements regularly for unauthorized transactions
• Set up account alerts for suspicious activity
• Consider placing a fraud alert or credit freeze on your credit reports

Watch for Medical Identity Theft

• Review all medical bills and insurance statements carefully
• Check your Explanation of Benefits (EOB) statements for services you didn't receive
• Monitor your credit reports for medical debt you didn't incur
• Request copies of your medical records annually to verify accuracy

Stay Alert for Phishing Attempts

• Be suspicious of unsolicited emails, calls, or texts requesting personal information
• Verify the identity of anyone claiming to represent Franklin Dermatology Group
• Don't click links or download attachments from suspicious emails

Document Everything

• Keep copies of all breach notification letters
• Document any suspicious activity related to your accounts
• Maintain records of steps you've taken to protect yourself

Contact Relevant Authorities

• Report suspected identity theft to the Federal Trade Commission (FTC)
• File a police report if you become a victim of identity theft
• Contact your insurance company if you suspect medical identity theft

Prevention Lessons for Healthcare Providers

The Franklin Dermatology Group incident offers important lessons for healthcare providers seeking to strengthen their cybersecurity posture:

Business Associate Management

With a business associate involved in this breach, providers must ensure comprehensive Business Associate Agreements (BAAs) are in place and regularly reviewed. These agreements should clearly outline security requirements and incident response procedures.

Network Security Hardening

The targeting of network servers highlights the need for robust network security measures, including:

• Regular security updates and patches
• Network segmentation to limit breach impact
• Multi-factor authentication for system access
• Continuous network monitoring and threat detection

HIPAA Compliance Framework

Healthcare providers must implement comprehensive HIPAA compliance programs addressing the Security Rule requirements under 45 CFR §164.306. This includes:

• Administrative safeguards for workforce training and access management
• Physical safeguards for facilities and workstation security
• Technical safeguards for electronic PHI protection

Incident Response Planning

Effective breach response requires predetermined procedures for:

• Immediate containment and assessment
• Forensic investigation coordination
• Patient notification within required timeframes
• Regulatory reporting compliance

Regular Risk Assessments

Conducting periodic risk assessments as required by HIPAA helps identify vulnerabilities before they can be exploited. These assessments should include evaluation of business associate relationships and third-party security practices.

The Franklin Dermatology Group breach serves as a reminder that healthcare organizations of all sizes remain attractive targets for cybercriminals. As the healthcare sector continues to face increasing cyber threats, robust security measures and comprehensive HIPAA compliance programs are essential for protecting patient information.

For affected patients, vigilance and proactive protective measures are crucial in the weeks and months following this breach. While the full extent of the compromised information hasn't been detailed publicly, taking preventive action now can help minimize potential harm from this security incident.

Learn how HIPAA Agent can help protect your practice.