Southern Illinois Dermatology Data Breach: Patient PHI and SSNs Exposed in November 2025 Incident

Southern Illinois Dermatology has confirmed a significant data breach, with unauthorized actors accessing and potentially copying sensitive patient files from its network. The incident, first detected on November 28, 2025, exposed a trove of protected health information (PHI) and personal identifiers, including full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The clinic, which engaged third-party cybersecurity experts to investigate, only began mailing notification letters to an unspecified number of affected individuals on April 2, 2026—a delay of over four months from the initial discovery.

The breach highlights critical vulnerabilities in the healthcare sector's data security posture. The compromised data varies per individual but encompasses the core elements needed for identity theft and medical fraud. This incident follows a similar breach reported by Heart South Cardiovascular Group, signaling a potential pattern of targeting regional medical providers. The extended timeline between detection and patient notification raises immediate questions about the clinic's incident response protocols and regulatory compliance obligations under HIPAA.

The exposure places affected patients at direct risk of financial and medical identity fraud, while Southern Illinois Dermatology now faces intense scrutiny from regulators and potential legal action. The breach underscores the persistent threat to smaller healthcare entities that may lack robust cybersecurity defenses, turning patient records into high-value targets for cybercriminals. The clinic's public disclosure, coming months after the fact, will test patient trust and could trigger broader examinations of data security practices across similar medical practices in the region.