CareCloud Breach Exposes Patient Records Across 45,000 Healthcare Providers
CareCloud disclosed a March 2026 breach of its EHR systems. Hackers accessed patient medical records across 45,000 providers for eight hours.
Formfy Team
Product Team
CareCloud Breach Exposes Patient Records Across 45,000 Healthcare Providers
Summary
CareCloud, a healthcare software company serving over 45,000 providers, disclosed on March 30, 2026, that hackers accessed one of its electronic health record (EHR) environments on March 16. The company filed a Form 8-K with the SEC after determining the breach was material due to the sensitivity of potentially exposed patient data.
Key Details
The breach occurred on March 16, 2026, when an unauthorized actor gained access to one of CareCloud's six EHR environments for approximately eight hours. CareCloud restored full functionality by the evening of March 16 but did not determine the incident was material until March 24.
CareCloud filed its SEC disclosure on March 29, making the breach public on March 30. The Somerset, New Jersey-based company reported $120.5 million in revenue last fiscal year and serves hospitals and physician practices nationwide.
Related reading: Kentucky Passes Smart TV Privacy Bill: Automatic Content Recognition Data Now Requires Consent covers the next step in this workflow.
Related reading: Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA covers the next step in this workflow.
Related reading: Conduent Healthcare Breach Hits 25 Million Americans as 35 Lawsuits Consolidate covers the next step in this workflow.
Related reading: California Privacy Agency Fines Data Brokers Selling Health Data in Delete Act Crackdown covers the next step in this workflow.
Related reading: 20 US States Enforce Privacy Laws in 2026 After Indiana, Kentucky, and Rhode Island Go Live covers the next step in this workflow.
The company has not disclosed how many patients were affected or what categories of medical data were accessed. CareCloud engaged a Big Four accounting firm's cybersecurity division to conduct forensic analysis. Law enforcement and the company's cyber insurer have been notified.
No ransomware group had claimed responsibility as of March 31, 2026. CareCloud confirmed no other platforms, divisions, or environments were compromised.
Why This Matters
EHR breaches carry outsized risk because they expose complete medical histories, diagnoses, medications, and insurance information-data that cannot be changed like a credit card number. Healthcare providers using CareCloud's platform must now assess whether their patient records were stored in the affected environment and prepare breach notification workflows if required under HIPAA's 60-day rule.
The SEC filing obligation adds another layer: publicly traded healthcare technology vendors must now disclose material cyber incidents within four business days under the SEC's 2023 cybersecurity disclosure rules.
For healthcare practices managing patient intake and medical consent workflows, breaches like CareCloud's highlight the importance of tracking where sensitive patient data is stored and transmitted. Practices digitizing intake forms should verify their vendors' security posture and maintain documented audit trails of data access.
Sources
Formfy Team
Product Team
Related Articles
Recent compliance and digital workflow updates for 2026-05-13
A source-backed roundup of recent compliance, security, and digital workflow updates for teams managing forms and records.
Recent compliance and digital workflow updates for 2026-04-13
A source-backed roundup of recent compliance, security, and digital workflow updates for teams managing forms and records.
Patlytics Raises $40M Series B as AI Fuels Surge in Patent Filings and IP Litigation
Patlytics closed a $40M Series B led by SignalFire on April 8, 2026, serving 40%+ of Am Law 100 firms with AI for the full patent lifecycle.