A single system storing patient records at CareCloud was breached on March 16, and the company still cannot say whether millions of individuals' medical data was accessed or stolen.
The health technology firm disclosed the incident in a Securities and Exchange Commission filing, confirming that a third party gained unauthorized access to one electronic health record environment within its CareCloud Health division. Systems were restored after several hours of disruption. What happened to the data inside remains unresolved.
The affected environment contains highly sensitive medical information. Unlike financial records, which can be reset, medical data is permanent: identity details, insurance information, clinical history. This permanence makes healthcare records particularly valuable for identity theft, fraudulent billing, and exploitation that can span years.
CareCloud's infrastructure supports more than 45,000 healthcare providers across the United States, including clinics, physician practices, and hospital systems. Patients typically interact with their doctors, not with the software vendors storing their records. That distance means many individuals whose data may have been exposed do not know their information resides in CareCloud's systems.
The company has stated that other platforms and systems were not affected. It is working with external cybersecurity specialists and law enforcement on a forensic investigation. CareCloud also indicated it carries cybersecurity insurance to cover potential losses. Law firms have begun reviewing the case for potential litigation. Cybersecurity experts are advising patients to monitor financial activity, review medical records for anomalies, and consider credit alerts or freezes, even without confirmed misuse.
The incident highlights the concentration of risk in healthcare cloud infrastructure. CareCloud operates much of its system on Amazon Web Services, a platform that enables scale but also aggregates sensitive data in shared environments.
Law firms are already reviewing the case. Whether there is anything to litigate depends on a question CareCloud cannot yet answer: whether anyone took the data at all.
Source: SEC