CareCloud: Intruder Accessed Systems for 8 Hours, Still Assessing Extent of Breach
Cloud-based electronic health records vendor CareCloud has notified the U.S. Securities and Exchange Commission of a cyber incident earlier this month that temporarily disrupted the software and accessed one of its EHR environments. The company is assessing whether patient data was accessed or stolen.
See Also: AI Impersonation Is the New Arms Race—Is Your Workforce Ready?
Somerset, New Jersey-based CareCloud, which generated $120.5 million in revenue in 2025, told the SEC on Friday that it suffered a network disruption on March 16 for about eight hours that affected the functionality and access to one of its six EHR environments.
Formerly known as MTBC, CareCloud touts itself as providing artificial intelligence-powered health IT solutions to more than 40,000 healthcare providers in 70 medical specialties across all 50 states.
Upon discovering the incident, CareCloud said it reported the matter to its cyber insurer and engaged an outside cyber response advisory team to assist with securing the affected environment, as well as to conduct a comprehensive IT forensic investigation to determine the nature and scope of the incident.
The incident, contained the same day, was limited to the CareCloud Health EHR environment and did not affect the company’s other platforms, divisions, systems, data or environments, CareCloud said. The company said it believes the incident “was caused by an unauthorized third party who temporarily had access to the system.”
All affected systems have been fully restored, and the threat actor no longer has access to those systems, CareCloud told the SEC. The compromised environment stores patient information, and CareCloud is assessing whether patient information or other data was accessed or exfiltrated, and the categories and volume of any such data.
As part of its remediation efforts, CareCloud said it is working with outside cybersecurity professionals to reinforce the company’s information technology systems and to help prevent future unauthorized access.
CareCloud reported the incident to law enforcement and believes it has sufficient cybersecurity insurance coverage for any potential losses.
CareCloud told the SEC that the hack so far has not had a significant impact on its operations or financial situation.
Nonetheless, the company determined that the incident “is material in light of the sensitivity of the potentially affected information and the potential consequences of the incident, including remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, customers, counterparties, reputation and operation.”
CareCloud did not immediately respond to ISMG’s request for additional details about the incident, including the number of clients and patients’ data contained in the compromised IT systems.
Risks to EHR Clients, Patients
Cyberattacks involving EHR vendors are especially concerning given their immediate effect on patient care, along with the potential to compromise patient safety and the privacy of medical information, some experts said.
“Attacks on EHR vendors, particularly cloud-based platforms, can create enterprise-wide risk,” said Dave Bailey, vice president at consultancy at privacy and security consulting firm Clearwater.
“A successful compromise could expose large volumes of patient data, disrupt system availability and introduce data integrity issues if records are altered. These impacts extend beyond privacy to patient safety, as clinicians may be forced to make decisions without reliable or timely information,” he said. Also, because vendors serve multiple organizations, a single incident can cascade across the healthcare ecosystem, amplifying operational, financial and reputational consequences, he said.
Hackers having direct access to patient electronic protected information via EHR attacks also can result in a variety of potential harms to the affected patients, said Steven Adler, a partner at consulting firm The Edmund Group and a former risk management executive at health insurer Humana.
The harms to patients range from identify theft to publicly disclosing medical conditions involving sensitive services such as mental health and substance abuse, he said.
“From a broader risk perspective, EHR exfiltration events can lead to the resale of patient data for false claim submissions and other nefarious activities, which continue to drive up healthcare costs,” he said.
EHR vendors also pose risk to their healthcare provider clients, especially when the cyber incident involves a data breach. With that top of mind, Adler advises healthcare organizations to take “an abundance of caution” when employing EHR solutions with third-party vendors.
That includes conducting thorough due diligence during vendor selection. “How is your prospective EHR vendor behaving in the marketplace? Have they experienced cyber events and if so, were there after-action items and were they mitigated?” he said. Other areas to review are the vendor’s financial health, litigation and any regulatory action taken against the company, he said.
“Ensure your EHR vendor has appropriate cyber coverage. Protect the volume of patient protected health information they will manage on your behalf. Apply a limitation of liability calculation to ensure there’s an ‘apples to apples’ alignment on coverage,” he said.
Adler also said healthcare providers need to enforce an agreed-upon comprehensive contract with their EHR vendor. That includes specific language on the definition of an incident, notification requirements, business continuity and disaster recovery capabilities, use of third and fourth-parties, indemnification and a right to audit.
“Trust but verify your third-party vendor’s resiliency capabilities,” he said. “Healthcare entities need to partner with their EHR vendors through integrated scenario exercises and corrective action, and specific key risk indicators demonstrating continued operational maturity,” he said. Healthcare providers should be “highly aware of concentration risk,” he said.
“Be careful on ‘being too comfortable’ with relying on one vendor to support your EHR operational priorities. Balance out your EHR needs with the use of multiple vendors – perhaps two or three – which not only spreads the risk but also is healthy in managing performance and contract execution,” he said. “Competition is the guiding principle here.”
Bailey advises EHR vendors to notify clients as soon as there is a credible indication of impact to system availability, data access or data integrity – to not wait until after full confirmation.
“Early, transparent communication enables healthcare organizations to activate downtime procedures, protect patient safety and mitigate privacy risks in real time,” Bailey said. “Even a short delay in notification can translate into clinical disruption or unsafe decision-making. Well-defined and rehearsed incident response playbooks should guide rapid, staged communication.”
Click Here For The Original Source.
