Full Report
On March 16, 2026, CareCloud, Inc. (the "Company") experienced a temporary network disruption in its CareCloud Health division that partially impacted the functionality and data access to 1 of its 6 electronic health record environments for approximately 8 hours until the Company fully restored all functionality and data access during that evening. Upon discovery of this incident, the Company promptly reported the matter to its cybersecurity carrier and engaged a leading cyber response advisory team which is part of a Big Four accounting firm to perform external cybersecurity work and to assist with securing the environment, as well as to conduct a comprehensive IT forensic investigation to determine the nature and scope of this incident. The Company further believes that the incident was contained to the CareCloud Health environment and did not affect the Company's other platforms, divisions, systems, data or environments. The incident was contained on the day it was discovered. The Company believes that it has sufficient cybersecurity insurance coverage for any potential losses. The Company further believes that the incident was caused by an unauthorized third party who temporarily had access to the system. The Company has reported the matter to the appropriate law enforcement authorities. The Company is continuing to investigate the nature and scope of the incident. The affected environment stores patient information, and the Company continues to assess whether, and the extent to which, patient information or other data was accessed or exfiltrated, and the categories and volume of any such data.
Analysis Summary
# Incident Report: CareCloud, Inc. Network Disruption and Unauthorized Access
## Executive Summary
On March 16, 2026, CareCloud, Inc. experienced a cybersecurity incident involving unauthorized third-party access to one of its six electronic health record (EHR) environments. The incident resulted in an eight-hour service disruption before full functionality was restored and the threat was contained. While the company is still investigating the extent of data exfiltration, the incident has been deemed material due to the sensitivity of potential patient health information (PHI) involved.
## Incident Details
- **Discovery Date:** March 16, 2026
- **Incident Date:** March 16, 2026
- **Affected Organization:** CareCloud, Inc. (CareCloud Health division)
- **Sector:** Healthcare Technology / SaaS
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** March 16, 2026 (Specific time undisclosed)
- **Vector:** Unauthorized third party
- **Details:** An unauthorized actor gained temporary access to the system, specifically targeting the CareCloud Health division's infrastructure.
### Lateral Movement
- **Details:** Investigation is ongoing; however, the company believes the incident was contained strictly to one of its six EHR environments and did not spread to other platforms, divisions, or systems.
### Data Exfiltration/Impact
- **Details:** The affected environment stores patient information. As of the reporting date, the company is still assessing whether data was exfiltrated and the specific categories or volume of data potentially accessed.
### Detection & Response
- **Discovery:** Detected on March 16, 2026, following a "temporary network disruption."
- **Response Actions:** The company isolated the affected environment, engaged a Big Four cyber response team, notified its insurance carrier, and reported the matter to law enforcement.
## Attack Methodology
- **Initial Access:** Unauthorized third-party access (Specific entry point unknown).
- **Persistence:** Not disclosed; likely limited due to rapid containment.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Limited/None (Contained to one EHR environment).
- **Collection:** Potential access to patient health records.
- **Exfiltration:** Under investigation.
- **Impact:** Resource Hijacking/Service Exhaustion (8-hour network disruption).
## Impact Assessment
- **Financial:** Not yet materially impacted, but remediation, legal, and regulatory costs are expected. Cybersecurity insurance is in place.
- **Data Breach:** Potential exposure of Patient Health Information (PHI); scope currently being determined.
- **Operational:** Partial disruption of 1 out of 6 EHR environments for approximately 8 hours.
- **Reputational:** Potential impact due to the sensitive nature of healthcare data.
## Indicators of Compromise
- **Network indicators:** None disclosed in the 8-K filing.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual network disruption and unauthorized system access within the EHR environment.
## Response Actions
- **Containment:** Isolated the CareCloud Health environment within the same day of discovery.
- **Eradication:** Engaged a Big Four accounting firm's forensic team to secure the environment.
- **Recovery:** Fully restored functionality and data access within 8 hours of the initial disruption.
## Lessons Learned
- **Rapid Containment:** The ability to isolate the breach to 1 of 6 environments prevented a company-wide outage.
- **Materiality Thresholds:** Even if an outage is short (8 hours), the sensitivity of the data (PHI) can trigger a "material" status for regulatory reporting.
- **Insurance Preparedness:** Having a cybersecurity carrier and pre-vetted advisory teams ready facilitated a quick response.
## Recommendations
- **Access Management:** Review and strengthen Multi-Factor Authentication (MFA) across all EHR environments to prevent unauthorized third-party entry.
- **Network Segmentation:** Continue to maintain and audit the segmentation that successfully prevented lateral movement between the 6 EHR environments.
- **Enhanced Monitoring:** Implement more granular logging and alerting within EHR environments to detect unauthorized access before it results in network disruption.
- **Data Loss Prevention (DLP):** Deploy or refine DLP tools to provide immediate visibility into whether sensitive patient data is being staged for exfiltration.