CareCloud Data Breach Affects Health Record System

CareCloud Inc., a publicly traded healthcare information technology company headquartered in Somerset, New Jersey, disclosed a cybersecurity incident that affected one of its electronic health record environments. The incident occurred on March 16, 2026, in the company's CareCloud Health division.

The company disclosed the incident to the U.S. Securities and Exchange Commission on March 24, 2026. As of the date of that filing, the company had not yet determined the full scope of data that may have been affected.

What happened in the CareCloud data breach

On March 16, 2026, CareCloud experienced a temporary network disruption in its CareCloud Health division.

According to the company's SEC filing, the incident was caused by an unauthorized third party who temporarily gained access to one of the company's six electronic health record environments. The disruption partially impacted the functionality of and data access to that environment for approximately eight hours before the company fully restored all systems that evening.

The incident was contained on the same day it was discovered. CareCloud stated that the breach was limited to the CareCloud Health environment and did not affect the company's other platforms, divisions, systems, data or environments.

The affected environment stores patient information. However, the company continues to assess whether, and to what extent, patient information or other data was accessed or removed from its systems. The specific categories and volume of any such data have not yet been determined.

On March 24, 2026, CareCloud determined that the incident was material.

CareCloud's response to the breach

As part of its ongoing remediation efforts, CareCloud is working with its outside cybersecurity experts to further reinforce its information technology systems and to prevent future unauthorized access. The company stated it believes it has sufficient cybersecurity insurance coverage for any potential losses related to the incident.

The company indicated it will file an amended report with the SEC as additional information is determined or becomes available.

Steps to take if your information may have been exposed

Because the full scope of this breach has not yet been determined, individuals who are patients of healthcare providers that use CareCloud's electronic health record platform should consider taking precautionary steps to protect their personal and medical information.

• Review health insurance statements carefully. Check Explanation of Benefits documents for any medical services, prescriptions or equipment that were not actually received, which could be a sign of medical identity theft.
• Request and review medical records. Contact healthcare providers to make sure medical records are accurate and do not contain unfamiliar entries or treatments.
• Monitor credit reports regularly. Visit AnnualCreditReport.com to request free credit reports from each of the three major credit bureaus and review them for any accounts or activity that seem unfamiliar.
• Consider placing a fraud alert or credit freeze. Contact Equifax (1-800-525-6285), Experian (1-888-397-3742) or TransUnion (1-800-680-7289) to add a layer of protection to credit files.
• Be cautious of phishing attempts. Watch for suspicious emails, texts or phone calls that reference CareCloud or this data breach by name, as scammers often use news of data breaches to trick people into sharing personal information.
• Stay alert for updates from CareCloud. Because the investigation is ongoing and the company has said it will provide additional information as it becomes available, those who may be affected should watch for future notifications from CareCloud or their healthcare providers.