A hacker managed to slip into the digital vault where millions of patient records may be stored and stayed there for hours. That’s the unsettling detail emerging from a breach disclosed by CareCloud, a major provider of electronic health record software used by hospitals and medical practices across the United States.
According to a filing the company made with the U.S. Securities and Exchange Commission, unauthorized access was detected on March 16 in one of the company’s systems used to store medical records. The attacker remained inside that environment for more than eight hours before the company shut down the intrusion and restored its systems the same day. The bigger question, what exactly the attacker saw or took, remains unanswered.
CareCloud said it is still investigating whether any data was exfiltrated and what kinds of information may have been exposed. For patients and healthcare providers relying on the platform, that uncertainty matters. Electronic health records often contain a mix of highly sensitive data, from medical histories and prescriptions to insurance information and personal identifiers.
But CareCloud’s reach is large. According to its latest annual report, the company provides software and data services to more than 45,000 healthcare providers, including doctors and physicians across thousands of hospitals and clinics. That scale is exactly why cybercriminals keep targeting healthcare technology companies.
Electronic health record platforms sit at the centre of the modern healthcare system. They store enormous amounts of personal information in one place, which makes them attractive targets for financially motivated attackers. Medical data also tends to have a longer shelf life on the black market than credit card numbers, which can be quickly cancelled.
Recent history shows how disruptive these attacks can become. In 2024, hackers linked to Russia carried out a ransomware attack on Change Healthcare that compromised vast amounts of U.S. medical data and disrupted healthcare services nationwide for months.
Compared to that incident, the CareCloud breach currently appears smaller. The company said it believes the attacker is no longer inside its systems and has hired an outside cybersecurity firm to investigate.
But several key details remain unclear.
CareCloud has not said how many patients might be affected. The company also hasn’t explained how data is distributed across its six storage environments, whether each contains different records or if some hold backups of others. According to public internet infrastructure records, much of the company’s data is hosted on Amazon Web Services.
In its SEC filing, CareCloud said it determined on March 24 that the “incident is material in light of the sensitivity of the potentially affected information and the potential consequences of the incident, including remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, customers, counterparties, reputation and operations.”
Louis Eriakha
