Kinetic Potential Blog

Healthcare management services provider QualDerm Partners is notifying more than 3.1 million people that their personal, medical, and health insurance information was stolen in a December 2025 data breach.

The incident, the company says, was discovered on December 24 and involved unauthorized access to its network for two days.

During this window, the attackers exfiltrated certain information from the “limited number of systems” that they compromised, the company notes in an incident notification (PDF).

The stolen information, it says, includes names, addresses, dates of birth, email addresses, medical record numbers, doctor names, treatment and diagnosis information, health insurance information, dates of death, and, in some cases, government-issued ID information.

QualDerm also notes that its investigation into the data breach continues, and that it has decided to notify the patients who have been identified to date.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them by April 3, 2026.

The vulnerabilities that have come under exploitation are listed below -

Third-party benefits administrator Navia Benefit Solutions is notifying nearly 2.7 million people that their personal information was stolen in a data breach.

The incident, the company says, was discovered on January 23, but the investigation into the matter determined that hackers had access to its systems between December 22, 2025, and January 15, 2026.

During that window, the attackers accessed and likely exfiltrated personal information such as names, dates of birth, Social Security numbers, phone numbers, and email addresses, as well as health plan information.

“This investigation and response included confirming the security of our systems, reviewing the contents of relevant data for sensitive information, and notifying potentially impacted individuals via a letter to their home address, where address information was available,” Navia notes in an incident notification.