The electronic health records of patients may have been leaked after hackers gained access to the systems of healthcare software firm CareCloud.

The company notified regulators at the Securities and Exchange Commission late Friday that a network disruption on March 16 impacted one of CareCloud’s electronic health record environments for eight hours. 

An investigation revealed that a hacker “temporarily had access to the system.” The incident was initially only reported to law enforcement but by March 24 company officials “determined that the incident is material in light of the sensitivity of the potentially affected information and the potential consequences of the incident.”

The consequences include “remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, customers, counterparties, reputation and operations.”

CareCloud is a large provider of technology and software to hospitals and medical practices, serving more than 45,000 providers. They offer electronic health record systems as well as digital revenue and business products. The company reported $120.5 million in revenue in the last fiscal year. 

CareCloud did not respond to requests for comment about how many people were affected. Their 8-K filing with the SEC said they are still working to “assess whether, and the extent to which, patient information or other data was accessed or exfiltrated, and the categories and volume of any such data.” 

According to the filing, one of the six electronic health record environments that CareCloud controls was temporarily affected by the incident. 

It was offline for eight hours before CareCloud restored it and no other company platforms were affected. No hacking group has taken credit for the incident as of Monday. 

Several of the largest data breaches reported this year resulted from cyberattacks on the technology companies providing tools and software to healthcare firms or insurance giants carrying patient data. 

Two weeks ago, the healthcare analytics firm Insightin told state regulators that 1.1 million people were affected by a data theft incident that took place in September. Another 3 million people had sensitive healthcare data stolen when hackers breached healthcare technology company TriZetto Provider Solutions in 2024 and 5 million were impacted when technology firm Episource was attacked.