CareCloud Breach Exposes Patient Records Across 45,000 Healthcare Providers
CareCloud disclosed a March 2026 breach of its EHR systems. Hackers accessed patient medical records across 45,000 providers for eight hours.
Formfy Team
Product Team
CareCloud Breach Exposes Patient Records Across 45,000 Healthcare Providers
Summary
CareCloud, a healthcare software company serving over 45,000 providers, disclosed on March 30, 2026, that hackers accessed one of its electronic health record (EHR) environments on March 16. The company filed a Form 8-K with the SEC after determining the breach was material due to the sensitivity of potentially exposed patient data.
Key Details
The breach occurred on March 16, 2026, when an unauthorized actor gained access to one of CareCloud's six EHR environments for approximately eight hours. CareCloud restored full functionality by the evening of March 16 but did not determine the incident was material until March 24.
CareCloud filed its SEC disclosure on March 29, making the breach public on March 30. The Somerset, New Jersey-based company reported $120.5 million in revenue last fiscal year and serves hospitals and physician practices nationwide.
The company has not disclosed how many patients were affected or what categories of medical data were accessed. CareCloud engaged a Big Four accounting firm's cybersecurity division to conduct forensic analysis. Law enforcement and the company's cyber insurer have been notified.
No ransomware group had claimed responsibility as of March 31, 2026. CareCloud confirmed no other platforms, divisions, or environments were compromised.
Why This Matters
EHR breaches carry outsized risk because they expose complete medical histories, diagnoses, medications, and insurance information-data that cannot be changed like a credit card number. Healthcare providers using CareCloud's platform must now assess whether their patient records were stored in the affected environment and prepare breach notification workflows if required under HIPAA's 60-day rule.
The SEC filing obligation adds another layer: publicly traded healthcare technology vendors must now disclose material cyber incidents within four business days under the SEC's 2023 cybersecurity disclosure rules.
For healthcare practices managing patient intake and medical consent workflows, breaches like CareCloud's highlight the importance of tracking where sensitive patient data is stored and transmitted. Practices digitizing intake forms should verify their vendors' security posture and maintain documented audit trails of data access.
Sources
Formfy Team
Product Team
Related Articles
Conduent Healthcare Breach Hits 25 Million Americans as 35 Lawsuits Consolidate
Conduent data breach affects 25 million Americans. 35 class action lawsuits consolidated in New Jersey. Texas AG investigating healthcare data theft.
OCR Expands HIPAA Enforcement Beyond Risk Analysis to Target Risk Management Failures
OCR settles two HIPAA cases for $113K total and expands Risk Analysis Initiative to enforce risk management documentation and remediation.
HHS Finalizes HIPAA Electronic Signature Standards, Projected to Save Healthcare $782 Million Per Year
HHS finalizes HIPAA electronic signature standards for healthcare claims. The rule saves $782 million annually with a May 2028 compliance deadline.