Your Vendor Got Hacked. Your Patients Paid the Price.

On March 16, 2026, hackers broke into CareCloud’s network and stayed for eight hours.

Not eight minutes. Eight hours.

Long enough to navigate systems, locate patient records, and potentially take whatever they came for — from a company that most of the 45,000 healthcare providers it serves had never heard of.

That’s the part of this story that doesn’t make the headlines: the doctors, clinics, and medical practices whose patient data may have been compromised had no idea CareCloud was holding it.

The Vendor Your Patients Never Agreed To

CareCloud is a healthcare technology company based in New Jersey. It provides electronic health record (EHR) systems, billing software, and practice management tools to more than 45,000 providers across all 50 states and more than 70 medical specialties — family practices, oncology clinics, orthopedic groups, rural health systems.

When a provider uses CareCloud’s software, their patient data lives in CareCloud’s infrastructure. That makes CareCloud a business associate under HIPAA — which means HIPAA’s Security Rule applies to them, not just to the practice.

On the evening of March 16, CareCloud restored full access to its systems. The company says the threat actor is no longer inside its network. What it cannot confirm yet is whether any patient data was accessed or exfiltrated during those eight hours.

That answer is still coming.

Why Eight Hours Is a Very Long Time

Cybersecurity researchers often talk about dwell time — how long an attacker has undetected access inside a system. In enterprise environments, the average dwell time before detection has historically been measured in weeks or months.

Eight hours in an EHR environment is not trivial. Electronic health records contain names, dates of birth, Social Security numbers, insurance information, medical histories, prescription records, and billing data. That’s the full profile an attacker needs to commit medical identity fraud, file fraudulent insurance claims, or sell records on criminal markets.

CareCloud has not publicly disclosed how the attacker gained initial access, what authentication controls were in place, or whether multi-factor authentication was active on the compromised environment. Those details matter — not just for CareCloud’s remediation, but for understanding how this attack could reach another healthcare technology company tomorrow.

This Is a Third-Party Vendor Problem

Here’s the part that should concern every healthcare practice in San Diego, regardless of whether they use CareCloud’s software.

Your organization may be fully HIPAA-compliant. Your team may be trained. Your passwords may be strong. But if one of your vendors — your billing company, your EHR provider, your telehealth platform, your scheduling software — has a security gap, your patients’ data is exposed through their breach, not yours.

The Change Healthcare ransomware attack in 2024 demonstrated this at national scale: cybercriminals compromised a subsidiary of UnitedHealth Group and disrupted hospital billing and pharmacy systems across the country for weeks. More than 100 million Americans had health data exposed — through a vendor most of them had never heard of.

CareCloud serves a smaller footprint, but the dynamic is identical. A breach at your vendor is a breach affecting your patients.

What HIPAA Actually Requires From You

Under HIPAA, healthcare providers are required to assess the security practices of their business associates — the vendors who handle protected health information on their behalf. A Business Associate Agreement (BAA) is the legal foundation, but it is not a security strategy.

The BAA tells you who is responsible. It does not tell you whether your vendor is actually secure.

Meaningful vendor risk management means asking the right questions before something goes wrong:

• Does this vendor have documented incident response procedures?
• When and how will they notify us if patient data is involved in a breach?
• What certifications or third-party audits can they provide?
• How is our data isolated from other clients’ data in their environment?
• What would happen to our operations if this vendor went offline for 24 hours?

Most practices have never had these conversations with their software vendors. The CareCloud breach is a good moment to start.

Ready to understand your real cybersecurity exposure? Take our free 2-minute assessment

What to Do Right Now

If your practice uses CareCloud products, contact them directly to ask whether your patient data was in the affected environment and what notifications you can expect. The investigation is ongoing.

If your practice does not use CareCloud, this is still a useful moment to take stock:

Audit your vendor list. Make a complete list of every third-party software or service that handles patient data. Many practices are surprised by how long that list actually is.

Review your BAAs. Every vendor on that list should have a signed Business Associate Agreement. If any are missing, that is a HIPAA compliance gap.

Ask about breach notification timelines. HIPAA requires vendors to notify covered entities of a breach without unreasonable delay and no later than 60 days from discovery. Know your vendors’ actual procedures before you need to.

Talk to your IT partner. Your managed IT provider should be helping you track vendor security posture, not just managing your internal network. If they aren’t, that’s a gap worth addressing.

The healthcare organizations that handle this well are the ones that treat vendor risk as an ongoing operational question — not something they look at after a headline.

Take our free 2-minute cybersecurity assessment and find out where your real exposure is: centrexit.com/cyber-security-readiness-assessment

Sources

1. CareCloud SEC 8-K Filing, March 24, 2026
2. TechCrunch: Health data giant CareCloud says hackers accessed patients’ medical records
3. HIPAA Journal: Healthcare Software Company Announces Breach of its Electronic Health Record Environment
4. Newsweek: Millions of Health Care Patients Potentially Affected by Data Breach
5. HHS Office for Civil Rights: HIPAA Business Associate Guidance