# CareCloud discloses unauthorized access to electronic health record environment in SEC filing _Friday, June 26, 2026 at 6:20 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_ ![CareCloud discloses unauthorized access to electronic health record environment in SEC filing — Primary](https://www.hipaajournal.com/wp-content/uploads/2026/03/data-breach-V2.jpg) CareCloud, a Somerset, New Jersey-based healthcare software company, notified the U.S. Securities and Exchange Commission about a security incident that caused network disruption on March 16, 2026. The company is a business associate of hospitals and physician practices and works with more than 45,000 providers. It provides software solutions including electronic health records systems, and one of its six electronic health record environments was subject to unauthorized access. According to the SEC filing, a hacker gained access to the environment for a period of around eight hours, partially disrupting functionality and data access. CareCloud fully restored the environment on the evening of March 16, 2026. The company believes the threat actor no longer has access to its systems. The incident was initially reported to law enforcement. CareCloud notified its cyber insurer and engaged third-party cybersecurity specialists to assist with the investigation and help secure the environment. When it became clear that this was a material incident due to the sensitivity of the data stored within the compromised environment and the potential cost of a data breach, the SEC was notified. CareCloud believes the incident was contained in the one CareCloud Health environment and that no other business systems were involved. The investigation to determine the nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated and the categories and volume of data involved. As of the date of the SEC filing, the incident has had no material impact on the company's operations. The initial assessment suggests that the incident is not reasonably likely to have a material impact on the company's financial position or results of operations, although the impact of the incident has yet to be fully assessed. There will be costs associated with remediation and response, legal, regulatory, and notification-related matters, and possible effects on patients, customers, counterparties, reputation, and operations. The company holds cyber insurance policies and believes that it has sufficient insurance coverage to cover any costs. CareCloud has not publicly disclosed how any of its clients have been affected, nor has it provided an estimate for the number of individuals whose medical records were exposed in the incident. Notifications will be issued to the affected clients and individuals when they have been identified. At the time of publication, no cyber threat actor is known to have claimed responsibility for the attack. ## Sources - [HIPAA Journal](https://www.hipaajournal.com/carecloud-data-breach/) --- Canonical: https://techandbusiness.org/newswire/X0O85GNlLhBSz1ObTpAKC9 Retrieved: 2026-06-27T04:18:04.303Z Publisher: Tech & Business (techandbusiness.org)