Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 01, 2026 · 5 min read

Hackers Accessed Millions of Patient Records Through a Healthcare IT Firm—It Told the SEC First

CareCloud, which handles electronic health records for more than 45,000 healthcare providers, disclosed a breach to the SEC on March 31. Two weeks after the attack, patients still do not know if their medical records were stolen.

A hospital hallway with a server room visible through a glass window, soft blue lighting

What Happened

On March 16, 2026, a hacker gained unauthorized access to one of CareCloud's six electronic health record (EHR) environments. The intrusion caused a network disruption that lasted approximately eight hours before CareCloud was able to fully restore the system and cut off the attacker's access.

CareCloud reported the incident to the Securities and Exchange Commission on March 31, two weeks after the breach. The company also notified law enforcement, its cyber insurer, and engaged third party cybersecurity specialists to investigate. But as of the public disclosure, CareCloud has not said which of its healthcare clients were affected or how many patients had their records exposed.

Why the Scale Matters

CareCloud is not a hospital. It is a business associate, a company that stores and processes protected health information on behalf of hospitals and physician practices. The company works with more than 45,000 providers covering millions of patients across the United States.

Electronic health records contain some of the most sensitive data that exists about a person:

  • Complete medical histories including diagnoses, treatments, and prescriptions
  • Social Security numbers used for insurance billing
  • Home addresses, phone numbers, and email addresses
  • Insurance policy details and billing information
  • Mental health records and substance abuse treatment history

Unlike a credit card number that can be changed, a medical history is permanent. Stolen health records sell for up to $1,000 each on dark web marketplaces, far more than financial data, because they enable insurance fraud, identity theft, and targeted extortion.

SEC Before Patients

CareCloud's decision to file with the SEC before disclosing to affected patients reflects a growing tension in breach notification. Since 2023, the SEC requires publicly traded companies to disclose material cybersecurity incidents within four business days. HIPAA, by contrast, gives healthcare organizations up to 60 days to notify patients of a breach affecting their protected health information.

The result: investors learned about the breach before the people whose medical records may have been stolen. CareCloud stated that its investigation into the "nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated." Translation: they do not yet know what was taken.

This pattern has become disturbingly common. Hightower took 2.5 months to disclose a breach affecting 131,000 clients, and Kaplan waited four months after finding hackers on its servers.

Healthcare Is the Most Targeted Sector

Healthcare organizations face more data breaches than any other industry. In 2025, credential theft drove the most damaging healthcare email breaches, with phishing driven mailbox takeovers accounting for 170 breaches affecting 2.5 million individuals, according to industry analysis.

The problem is structural. Healthcare IT systems must be accessible to thousands of authorized users across multiple locations, creating a massive attack surface. Many practices run outdated software because upgrades risk disrupting patient care. And the data they protect is uniquely valuable to attackers.

What Patients Should Do

If your healthcare provider uses CareCloud, or if you are unsure whether they do, take these protective steps now rather than waiting for a notification that may take months to arrive:

  • Place a fraud alert or credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion). This prevents anyone from opening new accounts using your stolen identity
  • Monitor your Explanation of Benefits statements from your health insurer. Look for medical services, prescriptions, or equipment you did not receive, which may indicate medical identity theft
  • Request a copy of your medical records from your provider. Compare them against your actual treatment history to check for fraudulent entries
  • Be alert for phishing emails referencing your healthcare provider or insurance plan. Breach data is often used to craft convincing targeted phishing within weeks of a healthcare breach
  • File a complaint with the HHS Office for Civil Rights if your provider does not notify you within 60 days of the breach

The Legal Fallout

A class action lawsuit investigation has already been launched against CareCloud. Attorneys are examining whether the company maintained adequate security measures to protect patient data and whether its notification timeline complied with HIPAA requirements.

Under HIPAA, business associates like CareCloud face the same data protection obligations as the healthcare providers they serve. If the investigation reveals inadequate security controls, the company could face penalties from the HHS Office for Civil Rights on top of any civil litigation.