What Happened at CareCloud?
CareCloud, a US-based healthcare IT company providing practice management, electronic health records, and revenue cycle management services to medical practices, disclosed a data breach in which attackers accessed its network and stole sensitive patient information. The incident caused a network disruption lasting approximately eight hours — a period during which clinical and administrative staff at practices relying on CareCloud's platform were left without access to critical systems. The breach is significant not just for its scale, but for what it represents: a third-party technology provider sitting at the centre of dozens — potentially hundreds — of healthcare practices, holding some of the most sensitive personal data in existence. Medical records, financial information, and personal identifiers all flowing through a single platform. When that platform is compromised, the blast radius extends far beyond the vendor itself. According to CareCloud's disclosure, reported by BleepingComputer, the company identified unauthorised access to its systems and confirmed that patient data was among the information exposed. The full scope of affected individuals had not been confirmed at the time of writing.
Why Healthcare IT Is a Persistent Target
Healthcare organisations have been the most targeted sector for ransomware and data theft for several consecutive years. The Verizon 2024 Data Breach Investigations Report found that healthcare accounted for more data breaches than any other industry, with 1,378 incidents recorded in their dataset that year. The reasons are structural. Patient records command a high price on criminal forums — a single medical record can sell for anywhere between £30 and £250, according to Trustwave research, compared to a few pence for a compromised payment card. Attackers know this. They also know that healthcare providers are more likely to pay ransoms because downtime has direct consequences for patient safety. But the CareCloud breach points to a subtler vulnerability: the healthcare IT supply chain. Practices outsource their technology infrastructure to vendors like CareCloud precisely because they lack the internal resource to manage it themselves. That outsourcing decision transfers operational risk, but it does not transfer the consequences of a breach. When CareCloud's systems went down, the practices whose patients' data was stolen had no control over the incident, no visibility into what was happening, and no ability to contain it.
How Did Attackers Likely Move Through the Network?
Without a full forensic report from CareCloud, the precise attack vector remains unconfirmed. However, the profile of this incident — data theft followed by service disruption — matches a well-documented pattern used by ransomware-affiliated threat actors who increasingly operate in two phases. In phase one, attackers establish persistence and exfiltrate data quietly. This stage can last days or weeks before any visible disruption. In phase two, they deploy their payload or otherwise make themselves known, typically by encrypting systems or threatening to publish stolen data. The eight-hour outage at CareCloud is consistent with phase two activity, which implies the attackers likely had access to the environment well before anyone noticed. This is the part that matters most for defenders. By the time a system goes offline or an alert fires, the data is already gone. Anti-data exfiltration technology exists specifically to interrupt phase one — tools like BlackFog work by monitoring and blocking outbound data transfers that match exfiltration behaviour, regardless of whether the endpoint has been formally identified as compromised. If data cannot leave the network, the leverage attackers rely on for extortion disappears. You can read more about how BlackFog's approach works at /products/blackfog. The question worth asking is not just how attackers got in, but how long they were inside before anyone knew.
What Security Controls Were Missing?
Based on the known facts of the incident, several layers of protection appear to have been absent or insufficient. Each of these represents a decision point where the outcome could have been different.
- Attack surface visibility: Healthcare IT platforms expose a wide and often poorly documented attack surface — APIs, remote access portals, third-party integrations. Continuous attack surface management, as provided by tools like Hadrian (/products/hadrian), identifies exploitable exposures before attackers do. Without this, organisations are defending a perimeter they cannot fully see.
- Data exfiltration prevention: The attackers stole data. That is the defining harm of this breach. Endpoint protection alone does not stop data leaving a network once an attacker has valid credentials or an active session. Purpose-built anti-exfiltration technology intercepts the transfer itself, not just the malware that enabled it.
- 24/7 detection and response: An eight-hour network disruption suggests either a delayed detection or a slow containment response. Managed detection and response (MDR) services — such as those delivered through Sophos MDR (/products/sophos) — provide continuous monitoring and active response around the clock. In a breach scenario, the first hour matters more than the next seven.
- Third-party risk assessment: Practices using CareCloud had no direct way to assess the security posture of the platform they depended on. Panorays (/products/panorays) provides continuous monitoring of third-party vendors, flagging security gaps before they become your problem. Supply chain risk management is not optional for organisations whose operations depend on external platforms.
- Email and endpoint hardening: Initial access in most healthcare breaches comes via phishing or exploitation of exposed services. Unified security coverage across email, endpoints, and cloud environments — as provided by Coro (/products/coro) for UK-based organisations — reduces the number of entry points attackers can probe.
The Third-Party Risk Problem Nobody Wants to Talk About
CareCloud is a vendor. The practices whose patient data was stolen are the victims. That distinction matters, and it highlights a gap that exists across every sector that relies on outsourced technology: the organisations bearing the reputational and regulatory consequences of a breach are often not the ones who made the security decisions that enabled it. In the UK, the Information Commissioner's Office has made clear that data controllers — the organisations responsible for patients' data — cannot outsource their accountability to processors. If a third-party vendor suffers a breach that exposes data you are responsible for under UK GDPR, the regulatory risk lands with you, not just with the vendor. This is not a theoretical concern. The ICO's enforcement actions following third-party breaches have included fines against the data controller even where the processor was the point of compromise. Panorays addresses this directly by enabling organisations to continuously monitor the security posture of their supply chain, score vendor risk, and act on findings before a breach forces the issue. For healthcare practices specifically, the question is not whether to trust vendors with patient data — operational reality demands it. The question is whether you are monitoring that trust with the same rigour you would apply to your own internal systems.
What Should Healthcare Organisations Do Now?
The CareCloud breach is not an isolated event. It is the latest in a pattern of healthcare IT suppliers being targeted precisely because they aggregate risk across many downstream clients. The playbook for defending against this is established, even if it is not yet widely implemented. First, map your dependencies. Every external platform that touches patient data represents a potential exposure point. If you do not have a complete and current list of those platforms, you cannot assess the risk they carry. Second, apply the same security standards to vendors that you apply to yourself. Security questionnaires completed once during procurement are not sufficient. Continuous monitoring tools give you a live view of vendor security posture, not a snapshot from eighteen months ago. Third, assume breach. Plan on the basis that a vendor you rely on will be compromised at some point. This means having incident response plans that account for third-party failures, data backup strategies that do not depend solely on vendor infrastructure, and contracts that include breach notification timelines. Fourth, close the exfiltration gap. Most organisations invest heavily in preventing attackers from getting in, but relatively little in preventing data from getting out. Given that the defining harm in incidents like CareCloud's is data theft rather than encryption, this priority needs to shift. Finally, ensure your detection capability operates continuously. Eight hours of downtime in a healthcare environment is eight hours during which clinical decisions may be delayed, records may be inaccessible, and the breach may be widening. MDR services exist to compress that window to minutes, not hours.
The Pattern Is Clear. The Response Has to Match It.
Healthcare data breaches follow a consistent pattern: a trusted technology platform is compromised, data is exfiltrated before anyone notices, and the downstream impact falls on organisations and individuals who had no direct role in the security failure. CareCloud is one incident in a long sequence. What makes it instructive is the clarity with which it shows where each security layer should have been. Attack surface management to reduce the exploitable perimeter. Anti-exfiltration to interrupt the data theft before it completes. MDR to cut the detection-to-response window. Third-party risk management to give downstream organisations visibility into supplier security. None of these are novel ideas. The gap is in implementation — and in the healthcare sector, that gap continues to carry a measurable human cost alongside the financial and regulatory one. If your organisation relies on third-party healthcare IT platforms, or if you are a vendor operating in this space, the questions raised by the CareCloud breach are worth answering before they are answered for you by an attacker.
Frequently Asked Questions
What data was exposed in the CareCloud breach?
CareCloud confirmed that sensitive patient data was accessed and stolen during the breach. While the full scope had not been confirmed at time of writing, healthcare IT platforms typically hold medical records, personal identifiers, and financial information. Any breach of such data carries obligations under applicable data protection and healthcare privacy regulations.
How can healthcare organisations protect against third-party data breaches?
Healthcare organisations should continuously monitor vendor security posture using third-party risk management tools, deploy anti-data exfiltration technology to block outbound data theft, and maintain 24/7 managed detection and response coverage. Contractual breach notification requirements and independent incident response plans that do not rely on vendor infrastructure are also essential.
Why is healthcare such a frequent target for data theft and ransomware?
Medical records are significantly more valuable on criminal markets than payment card data, with individual records reportedly selling for up to £250. Healthcare providers also face intense pressure to restore access quickly due to patient safety risks, making them more likely to pay ransoms. These two factors combined make the sector a consistently high-priority target for financially motivated threat actors.