On March 16, 2026, CareCloud, a publicly traded healthcare technology company based in Somerset, NJ, announced that a threat actor accessed one of six cloud-based electronic health record (EHR) environments for approximately eight hours. CareCloud offers cloud-based EHRs, practice management software, revenue cycle management tools, and patient engagement applications to over 45,000 healthcare providers nationwide, spanning all 50 states and over 70 medical specialties.

CareCloud filed an SEC Form 8-K on March 24, 2026, detailing that the incident resulted in an isolated network disruption, which temporarily impacted some functionality and access to data within CareCloud Health. Full system functionality was restored on March 16, 2026. CareCloud does not believe that the threat actor currently has access to its systems.

 

Incident Review

COMPANYCareCloud, Inc.
DATE OF INCIDENTMarch 16, 2026
DURATION OF ACCESSApproximately 8 hours
SYSTEMS1 of 6 EHR environments (CareCloud)
POTENTIAL IMPACTEDPotentially 45,000+ providers; millions of patients
DATA AT RISKPHI (Names, DoB, SSNs, diagnoses, treatment, insurance/billing information)
SEC FORM FILEDMarch 24, 2026

 

What We Know

Coverage from TechCrunch first reported that a threat actor accessed one of CareCloud’s six cloud-based EHR systems. CareCloud’s infrastructure is built on Amazon Web Services (AWS), which is commonplace for modern healthcare technology companies. AWS was not the root cause of the breach. Like most healthcare breaches, the access point was created by vulnerabilities in the infrastructure that live between your organization and AWS: access controls and authentication processes.

The biggest outstanding question is whether any patient data was actually exfiltrated during those eight hours, and CareCloud has yet to confirm what, if any, data was accessed or exfiltrated. SecurityWeek reported that CareCloud determined on March 24 that the breach was material and had to be reported to the SEC.

We know that CareCloud stores patient names, DoB, SSNs, medical diagnoses, treatment histories, prescriptions, health insurance information, and billing data within its EHR environment. Several class action law firms have already begun investigations to represent impacted patients should a class action lawsuit materialize.

 

Why Should this Incident Concern You?

Because this could be your infrastructure. How secure are the systems that electronically transport patient data behind the curtain of the clinical experience that most patients will never know exists?

When healthcare organizations think about third-party risk, infrastructure is often an afterthought. It’s not where clinicians spend their days, managing patients and caring for their communities. This assumption, however, is what makes third-party breaches so common and so impactful.

Ransomware attacks disclosed by healthcare organizations increased 49% in 2025 alone, continuing a trend we’ve seen each year for the past decade. Healthcare remains the most commonly targeted industry, representing 22% of all disclosed ransomware attacks. And in 96% of those attacks, data was exfiltrated before it was encrypted, meaning organizations face breach notification and regulatory penalties regardless of whether the ransom was paid.

The impact of a healthcare data breach extends far beyond regulation. Healthcare data breaches are the most expensive, costing organizations an average of $7.42 million per breach. Medical records are more valuable on the dark web than most stolen credit card numbers. You can cancel a credit card, but you can’t cancel a medical record. Stolen healthcare information can be used to facilitate identity theft, insurance fraud, and spear phishing campaigns for years after the initial breach occurred.

While the full magnitude of this breach will not be known for months, CareCloud supports 45,000 providers serving patients in over 70 specialties nationwide. Newsweek reported millions of patients may have been impacted. Learn more as we compile additional details, but know that the scope is likely to be much larger than any individual healthcare organization may have exposed if they maintained their own EHR infrastructure in-house.

 

Regulatory Concerns Raised by This Breach

As is the case with any healthcare breach, this incident will trigger regulatory requirements across multiple jurisdictions.

HIPAA: Health Insurance Portability and Accountability Act

CareCloud is a business associate under HIPAA. CareCloud provides services to covered entities (CEs), including physician practices, hospitals, and health systems. Under HIPAA, CareCloud and its customers are required to safeguard the transmission, storage, and disposal of ePHI through administrative, physical, and technical safeguards.

Key takeaways for CareCloud’s business associates include:

  • Conducting a Risk Analysis (45 CFR §164.308(a)(1)): Covered entities and business associates must have an accurate and up-to-date risk analysis of their information systems that process ePHI. Risk analysis has been a key focus for OCR audit readiness and enforcement activities. In 2025, OCR cited organizations for failing risk analysis requirements in 53% of its enforcement actions.
  • HIPAA Breach Notification Rule (45 CFR §§164.400–414): Covered entities must provide breach notifications to affected individuals, HHS, and, in some cases, the media, no more than 60 days from the discovery of a breach. Business associates are required to provide breach notification to covered entities without unreasonable delay and no later than 60 days from discovery.
  • Business Associate Agreement Standard (45 CFR §164.308(b)): Every covered entity that works with CareCloud is required to have a BAA in place. That agreement spells out each party’s responsibilities in the event of a data breach, including each party’s notification responsibilities, expectations for cooperation during investigations, and containment responsibilities.
  • Minimum Necessary Standard Requirement (45 CFR §164.502(b)): Covered entities should be evaluating whether CareCloud’s access to PHI was permitted under the minimum necessary standard.

Any covered entity storing patient data with CareCloud will be subject to HIPAA breach notification requirements once CareCloud identifies the type of data exposed.

 

SEC Cybersecurity Disclosure Rules

Publicly traded healthcare organizations are subject to SEC disclosure requirements around cybersecurity incidents. CareCloud filed a Form 8-K on March 24, 2026, detailing the cyber incident. Similar to HIPAA’s 60-day breach notification rule, the SEC requires public companies to report material cybersecurity incidents within four business days of determining materiality.

 

State Privacy Laws & Breach Notification Rules

CareCloud has customers across all 50 states, meaning that numerous state data breach notification laws were likely triggered by this incident. Most states have breach notification requirements that align closely with HIPAA. However, many states impose additional requirements for breaches impacting healthcare data.

 

Proposed 2025 HIPAA Security Rule Update

In December of 2024, HHS’s Office for Civil Rights released a Notice of Proposed Rulemaking (NPRM) that introduces sweeping changes to the HIPAA Security Rule. Several of the proposed updates were directly attributed to third-party breaches the industry suffered in 2024 and will go into effect before this breach is resolved, if approved.

Proposed updates that CareCloud will be evaluated on during forensic analysis include:

  • Mandatory annual penetration testing by a Qualified Independent Tester
  • Development and annual testing of incident response plans
  • Technical Safeguards updates around access management programs and audit controls

 

What This Means for Your Organization

If you provide care through CareCloud, or any third-party EHR platform for that matter, this breach isn’t your neighbor’s problem. This breach is a direct reflection of your organization’s risk exposure.

Think about how much trust you have placed in CareCloud and other third-party vendors every time you agree to their terms of service. CareCloud maintains EHR environments for millions of patients served by tens of thousands of providers nationwide. A single CareCloud environment was accessed for roughly eight hours, and millions of patients could be affected. No individual healthcare organization has visibility into or control over the security of third-party platforms serving their patients. Yet we accept this risk every day.

Healthcare organizations that struggle most after breaches like this are the ones that realize during their investigation that they don’t have a complete BAA in place with CareCloud, their vendor risk assessments are out of date, their incident response plan doesn’t address third-party vendors, and their HIPAA risk analysis doesn’t account for today’s threat landscape.

Breaches like this also highlight a trend that we’ve noticed across HALOCK’s healthcare cybersecurity clients: too many organizations are focused on implementing security controls and not enough are investing the required resources into building cybersecurity governance and vendor risk management programs to ensure those controls are effective. If you can’t demonstrate how you made risk decisions around your security controls, they were likely not reasonable under HIPAA’s Security Rule. Reasonable security doesn’t look the same for every organization, and it cannot be proven after a breach has occurred.

The HIPAA Security Rule requires that you implement reasonable and appropriate security controls based on your risk analysis. If your organization is asked to explain its security controls during a regulatory investigation, having a current, defensible risk analysis will put you in a much better position than neighboring organizations that haven’t updated theirs.

 

Steps You Can Take to Protect Your Organization

  • Identify if you have CareCloud exposure. Start by reaching out to CareCloud directly to see if your organization’s data was housed in the affected environment. Request written closure detailing the scope of the incident as it relates to your data, and keep records of all communications.
  • Review your Business Associate Agreement (BAA). Locate your BAA with CareCloud and review your notification requirements, expected breach response activities, and requirements to cooperate with investigations. Confirm that CareCloud has met its deadlines for providing breach notification under the terms of your agreement and under HIPAA.
  • Prepare to implement your incident response plan. Did your incident response plan (IRP) include language about third-party vendor breaches? If not, you need to update it. Just because this breach occurred at a business associate doesn’t mean your HIPAA breach notification obligations are waived.
  • Start documentation, beginning with your HIPAA Privacy Officer and legal counsel. Document all business associates with access to PHI or ePHI.
  • If your risk analysis is over 12 months old or doesn’t include a thorough analysis of your third-party EHR platform, update it. CareCloud’s risk will be analyzed during their investigation. Your risk analysis should include your business associates, too. HALOCK’s HIPAA Risk Assessment services provide you with a documented risk analysis built to satisfy OCR requirements.
  • Look at your access controls. The vulnerabilities leading to most EHR breaches are created by weak access controls and poor authentication hygiene. Do a quick review of your MFA implementation, privileged access management (PAM), and account lifecycle processes. How are you verifying who has access to patient data across your organization?
  • Test your breach notification process. If CareCloud determines your data was accessed, how will you notify impacted patients? Most hospitals have created breach notification templates and configured automatic systems to streamline the process.
  • Implement a vendor risk monitoring program. Annual vendor security questionnaires are inadequate in an environment where healthcare breaches are disclosed monthly. A risk analysis program can provide ongoing visibility into the security operations of your most critical vendors.
  • Schedule a Compromise Assessment. Concerned that CareCloud’s breach may have impacted your environment? Schedule a HALOCK Compromise Assessment to evaluate whether your environment has been compromised by a threat actor.
  • Review and test your IRP. Did your incident response plan get a workout when this incident occurred? IRPs should be tested annually at a minimum. Hire a third-party to test your plan by simulating a realistic breach.
  • Schedule a sensitive data scan. Do you know where all of your PHI is located across your network? A sensitive data scan will identify where PHI is stored and provide you with visibility so you can start to govern it.

 

Review Your Risk and Security Posture