Healthcare IT platform CareCloud investigates hacking, files with the SEC

The New Jersey-based company has filed a breach report with the Securities and Exchange Commission (SEC).

What happened

On March 27th, the healthcare technology solutions provider CareCloud disclosed a data breach in an SEC filing.

According to the filing, CareCloud, which offers cloud-based software to healthcare organizations, including electronic health records, revenue cycle management, practice management, and patient engagement, faced a network disruption on March 16th. CareCloud has six electronic health record environments, and said that only one was impacted and was accessed for approximately eight hours. Currently, CareCloud is investigating to determine if any data was exfiltrated.

What was said

CareCloud said that as soon as the incident was discovered, they “promptly reported the matter to its cybersecurities carrier and engaged a leading cyber response team” to perform external cybersecurity work and “to assist with securing the environment.” CareCloud also stated that the incident was “contained on the day it was discovered.”

Lastly, CareCloud shared, “The company further believes that the incident was caused by an unauthorized third party who temporarily had access to the system.” CareCloud did not mention if the incident was a ransomware attack or if they know who the bad actor was.

Why it matters

CareCloud works with over 40,000 healthcare practices to provide services related to electronic health records and general practice management, meaning that if a hacker successfully infiltrated the network, they likely had access to a trove of valuable data. If it was a ransomware attack, the data may get posted to the dark web if negotiations fail. If it was not a ransomware attack, it’s still very likely any data will be posted online. When it comes to breaches at vendors like CareCloud, notification can be delayed and victims may feel confused about how the data got into the hands of CareCloud at all, leading to increased stress and frustration.

The big picture

Data breaches against healthcare vendors can be particularly massive, because these vendors work with so many different healthcare practices. According to a Paubox report analyzing data breaches in 2025, nearly one in three (28%) of healthcare email breaches involved a business associate. The largest data breach of 2025 was tied to another New Jersey-based business associate, Conduent Business Services LLC, which impacted approximately 25 million Americans. Currently, it’s unclear how many victims there will be in the CareCloud breach, and while it’s unlikely to be as many as in the Conduent case, it’s very possible that there will be another high victim count.

FAQs

Would the breach at CareCloud be considered a vendor breach?

Yes. According to CareCloud, over 40,000 providers partner with the company to use their technology. For all of these practices, CareCloud would be considered a vendor and each organization should have a business associate agreement with CareCloud, outlining how the company handles sensitive data.

Who is responsible for notifying impacted individuals?

Currently, CareCloud is still notifying impacted practices and has not yet confirmed who will be notifying patients.

Why did CareCloud notify the SEC instead of the Department of Health and Human Services (HHS)?

CareCloud is required to notify the SEC because it is a large, public company, and must disclose “material” cybersecurity incidents within four business days. This rule is designed to keep the business transparent for investors, notifying them of risks that could impact the company’s financial health. CareCloud likely notified the SEC first because of the four day rule, while they have 60 days to notify the HHS. If the breach involves protected health information (PHI), which is likely, they will also be required to notify the HHS.