CareTracker, also known as Amazing Charts, has disclosed a data breach affecting patient information after unauthorized access occurred through one of its third-party vendors in June 2025. The incident exposed sensitive personal and medical data, prompting regulatory notifications, patient alerts, and growing legal scrutiny.
CareTracker, Inc., also known as Amazing Charts, has disclosed a data breach after detecting “unusual activity” on June 19, 2025, in a system managed by one of its third-party vendors.
An investigation confirmed that unauthorized access occurred between June 15 and June 19, 2025.
In the ensuing data review, the company determined that sensitive information may have been compromised, including patients’ names and a variety of medical details such as diagnoses, treatment information, physician names, medical record numbers, and health insurance data.
CareTracker has begun notifying affected individuals by mail and is offering 12 months of complimentary credit monitoring. As of notification, the company says it has not found evidence of misuse of the compromised data.
According to Claim Depot, between June 15 and June 19, 2025, CareTracker, which provides practice-management and EHR software, experienced a data breach that exposed both personally identifiable information (PII) and protected health information (PHI) of at least 501 of its patients. The company formally disclosed the incident to the U.S. Department of Health and Human Services on August 18, 2025, and later notified the California Attorney General on November 12, 2025.
Although CareTracker has not publicly disclosed exactly how many individuals or practices were impacted, the breach may involve thousands of patients, according to class-action investigators.
According to the breach notice, “Upon detection, AC immediately took steps to ensure the third party service provider’s environment was secure and launched an investigation to determine the nature and scope of the activity.” Upon determining that there was unauthorized access on a third-party service provider’s network between June 15, 2025, and June 19, 2025, “AC promptly began a review of all information that was potentially affected. This review determined that some of your personal information could have been involved in the incident.” The affected information includes “name and certain medical information such as medical treatment or diagnosis information, physician name, medical record number, and/or health insurance information associated with services you received from Genaro C. Fernandez, MD.”
The compromised data, which includes names, diagnoses, treatment information, and insurance details, puts affected patients at risk of several real-world harms. Identity theft is a concern, as medical and insurance information can be enough for criminals to impersonate individuals even without confirmed Social Security numbers. Patients also face the possibility of medical identity fraud, where exposed insurance details are used to obtain healthcare services or prescriptions under someone else’s name. Additionally, cybercriminals may exploit breached health data to launch targeted scams, including fake billing notices or fraudulent insurance calls, creating a ripple effect from this breach. Although CareTracker says it has found no evidence of misuse, the potential consequences of this breach can continue to affect patients for years.
The healthcare sector relies on third-party vendors for a variety of services. This increases the surface area for cyber attacks. According to IBM, “In 2022, 20% of data breaches were linked to third parties, contributing to even greater financial losses due to reputational damage and business disruption. Threat actors often target third-party vendors because of the vast amounts of sensitive data they manage.”
The CareTracker incident is a clear example of this growing risk. Even when a healthcare organization invests in strong internal security, a breach at a single connected vendor can expose patient data and trigger regulatory, operational, and legal consequences.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Vendors often integrate deeply with healthcare systems and handle sensitive data but may have weaker cybersecurity controls. Attackers target them as a gateway to larger networks.
This breach underscores the importance of rigorous vendor-risk management. Providers must continuously evaluate the security posture of third-party partners, since vulnerabilities outside their direct control can still put patient data at risk.
Healthcare providers should perform continuous vendor-risk assessments, conduct security audits, demand stricter contractual safeguards, and implement monitoring tools such as security posture management solutions.