Protect.Computer
NEWS

CareCloud discloses material cyber incident with potential patient data exposure

· 1 min read · Got hacked Identity theft
CareCloud discloses material cyber incident with potential patient data exposure

Photo by National Cancer Institute on Unsplash

Healthcare software company CareCloud disclosed a material cybersecurity incident in an SEC filing after a March 16 network disruption affected one of its six electronic health record (EHR) environments for about eight hours.

According to the company’s Form 8-K, an unauthorized party temporarily accessed the affected system. CareCloud says it contained the incident the same day, restored functionality, and brought in outside incident response and forensic support. The company also reported the incident to law enforcement.

The key unresolved risk is whether patient information in that environment was accessed or exfiltrated. CareCloud says that determination is still under investigation, and the event was deemed material due to the sensitivity of potentially impacted data and the possible legal, regulatory, and notification consequences.

If your provider uses CareCloud systems, this is the kind of incident where patient notifications and follow-up guidance may arrive later, after forensic review is complete.

How to check if you’re affected

Affected products/devices scope right now: organizations and patients tied to the specific CareCloud Health EHR environment involved in the March 16 incident (exact patient count not yet public).

  1. Ask your clinic, hospital, or provider office whether they use CareCloud Health EHR and whether their tenant/environment was part of the incident.
  2. Watch for official breach notification letters or portal/email notices from your provider (not just social posts).
  3. If notified, request the exact data types involved (e.g., demographics, insurance, medical record details) and what monitoring/remediation is being offered.
  4. Review your insurer and provider account activity for unfamiliar claims, profile changes, or billing anomalies.
  5. Enable MFA on healthcare and insurance portals, and stay alert for phishing messages referencing “records verification” or “incident updates.”

What to do now

  • Providers using CareCloud should confirm their exposure status directly with CareCloud support and legal/compliance teams.
  • Patients should rely on official notification channels and keep records of any incident correspondence.
  • Treat any urgent “click now to secure your record” messages as suspicious until independently verified.

Sources

Related reading

News
FBI confirms compromise of Director Patel's personal email inbox

The FBI says attackers accessed historical data from Director Patel's personal email account, with no government systems impacted.

News
Second FortiClient EMS zero-day in a week actively exploited — emergency hotfix released (CVE-2026-35616)

Fortinet pushed an emergency weekend hotfix for CVE-2026-35616 (CVSS 9.1), a pre-auth API bypass in FortiClient EMS 7.4.5–7.4.6 that allows unauthenticated remote code execution. Active exploitation confirmed since March 31. CISA added it to KEV with an April 9 deadline.

News
Critical FortiClient EMS flaw (CVE-2026-21643) now reported as actively exploited

Security teams are reporting active exploitation attempts against FortiClient EMS CVE-2026-21643; patching to 7.4.5+ should be prioritized.

News
Telus Digital confirms breach after ShinyHunters claims nearly 1PB data theft

Telus Digital confirmed a cybersecurity incident as ShinyHunters claims it stole nearly 1 petabyte of data tied to BPO and telecom operations.