CareCloud, a major provider of cloud-based health IT solutions, has revealed it suffered a significant data breach on March 16, 2026. In a disclosure filed with the U.S. Securities and Exchange Commission on March 24, the company stated that an unauthorized third party gained access to one of its six electronic health record (EHR) environments. The hackers maintained access for over eight hours before being detected and ejected.

While CareCloud claims to have restored its systems on the same day, the full extent of the breach is not yet known. The company has not disclosed the number of patients affected, but with a client base of over 45,000 providers, the number could be in the millions. The compromised EHR environment likely contained a vast trove of protected health information (PHI), including patient names, diagnoses, and treatment histories.

CareCloud has hired a cybersecurity firm to investigate the incident and is working to identify the individuals whose data was compromised. This breach is a critical blow to the company's reputation and a major concern for the healthcare providers who entrust their patient data to CareCloud's platform. For CISOs at provider organizations, this incident is a powerful reminder of the supply chain risk inherent in relying on third-party vendors for critical IT services. It is imperative to conduct thorough due diligence on the security practices of all vendors and to have clear contractual agreements in place regarding data breach notification and liability.