The Somerset, New Jersey-based healthcare software company CareCloud has notified the US Securities and Exchange Commission (SEC) about a security incident that caused network disruption on March 16, 2026. CareCloud is a business associate of hospitals and physician practices and works with more than 45,000 providers. The company provides software solutions, including electronic health records systems, and it was its electronic health record environment that was subject to unauthorized access.
According to the SEC filing, a hacker gained access to one of its six electronic health record environments for a period of around 8 hours, partially disrupting functionality and data access. CareCloud was able to fully restore the environment on the evening of March 16, 2026. CareCloud believes that the threat actor no longer has access to its systems. Initially, the incident was reported to law enforcement, its cyber insurer was notified, and third-party cybersecurity specialists were engaged to assist with the investigation and help with securing its environment. When it became clear that this was a material incident due to the sensitivity of the data stored within the compromised environment and the potential cost of a data breach, the SEC was notified.
CareCloud believes that the incident was contained in the one CareCloud Health environment, and no other business systems were involved. The investigation to determine the nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated, and the categories of and volume of data involved.
As of the date of the SEC filing, the incident has had no material impact on the company’s operations, and the initial assessment suggests that the incident is not reasonably likely to have a material impact on the company’s financial position or results of operations, although the impact of the incident has yet to be fully assessed. There will naturally be costs associated with remediation and response, legal, regulatory, and notification-related matters, and possible effects on patients, customers, counterparties, reputation, and operations. The company holds cyber insurance policies and believes that it has sufficient insurance coverage to cover any costs.
CareCloud has not publicly disclosed how any of its clients have been affected, nor has it provided an estimate for the number of individuals whose medical records were exposed in the incident. Notifications will be issued to the affected clients and individuals when they have been identified. At the time of publication, no cyber threat actor is known to have claimed responsibility for the attack. HIPAA Journal
Click Here For The Original Source
