Patients' Health and Financial Data at Stake as Federal Judge Consolidates Three Suits Over Dermatology Chain's 2025 Breach

CINCINNATI (LN) — A federal judge on Wednesday consolidated three putative class actions against Central States Dermatology Services, LLC — the company behind DOCS Dermatology Group — and appointed a Cincinnati plaintiffs' attorney as interim class counsel to steer the litigation arising from a data breach that allegedly swept up patients' most sensitive health and financial information.

U.S. District Judge Douglas R. Cole, sitting in the Southern District of Ohio, signed off on the unopposed motion filed by plaintiffs Bill Maddox, Tony Hamblin, and Dan Bertsos, all patients who sued the dermatology chain within days of each other in late January after learning their records had been compromised.

The breach, which allegedly ran from November 19 through November 27, 2025, involved an unauthorized actor who, according to the Maddox complaint, accessed Central States Dermatology's network and exfiltrated data including "names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, treatment/diagnosis information, prescription/medication information, dates of service, provider names, medical record numbers, patient account numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information."

Maddox's complaint alleged the stolen data was "Internet-accessible," was not encrypted, and that the company failed to delete Private Information it no longer needed — making a breach of this nature foreseeable. It also alleged Central States Dermatology failed to timely notify patients after the intrusion occurred. As the complaint put it, "exposure of one's Private Information to cybercriminals is a bell that cannot be un-rung."

The three cases assert nearly identical claims: negligence, negligence per se based on violations of the FTC Act and HIPAA, breach of implied contract, and unjust enrichment. The proposed class covers all U.S. residents whose Private Information was compromised in the breach. The plaintiffs' consolidation motion described all three actions as focusing on whether the defendant is liable to customers for its failure to protect the Private Information entrusted to it by those customers — a characterization Cole cited approvingly in granting the motion.

Central States Dermatology did not oppose consolidation, instead requesting an extension to answer and, later, a stay pending resolution of the motion — which Cole granted before lifting it Wednesday alongside the consolidation order. The company has not yet moved or answered in any of the three cases.

For interim class counsel, Cole appointed Terence R. Coates of Markovits, Stock & DeMarco, LLC, citing Coates's pre-suit investigation — which included reviewing publications about the breach, evaluating state attorney generals' information regarding the breach, researching Sixth Circuit data-privacy precedent, and coordinating among the three plaintiff groups — as well as his track record in the courthouse. Cole had previously appointed Coates as class counsel in a separate data-breach matter, In re Cinfed Fed. Credit Union Data Breach Litig., finding he "is experienced in handling class actions, knowledgeable on the applicable law, and will ably discharge their duties as class counsel."

Cole also ordered that any future cases filed or transferred to the Southern District of Ohio arising from the same breach be folded into the consolidated action, and directed plaintiffs to file a consolidated amended complaint within thirty days.

The proposed class definition — all U.S. residents whose data was taken — leaves the potential class size undefined, and Central States Dermatology has yet to disclose how many patients were affected by the November breach.