Healthcare breaches rise

A medical record is not one file sitting in one doctor’s office anymore. It often moves through billing software, scheduling tools, cloud storage, and outside technology vendors, so one break-in can spread across hundreds of clinics at once. (hhs.gov) That is why the CareCloud incident drew so much attention. CareCloud told the Securities and Exchange Commission that an unauthorized third party got into 1 of its 6 electronic health record environments on March 16, 2026, and disrupted access for about 8 hours. (sec.gov) CareCloud works with more than 45,000 providers, which is why early reports said the number of affected patients could reach into the millions even though the company had not pinned down a final total as of March 31. One compromised vendor can function like a broken water main feeding an entire neighborhood. (hipaajournal.com) (newsweek.com) The company said the breach appeared limited to the CareCloud Health environment and that it brought in outside incident responders, notified law enforcement, and began reviewing whether data was actually exposed. That leaves patients in the hardest stage of any breach story: the part where access is confirmed before the full damage is. (sec.gov) A second case landed days later in New York. OrthopedicsNY agreed to a $1.45 million class action settlement over a December 2023 ransomware attack that exposed data from more than 650,000 patients. (beckersspine.com) The records in that case were not just names and phone numbers. Reports said the attackers accessed financial information, protected health information, Social Security numbers, passport numbers, and driver’s license numbers, which is the identity-theft version of handing over both your house key and your mail. (beckersspine.com) OrthopedicsNY had already agreed in 2025 to pay $500,000 to the New York attorney general and to add annual risk assessments and other security measures. The new $1.45 million settlement shows how breach costs keep arriving in waves: first the attack, then regulators, then lawsuits, then years of cleanup. (beckersspine.com) This keeps happening at scale across the industry. The Department of Health and Human Services says it investigates breaches of protected health information affecting 500 or more people, and healthcare organizations still report more than 700 of those large breaches a year. (hhs.gov) (hipaajournal.com) There is also a second privacy gap outside hospitals and insurers. The Federal Trade Commission said in its 2024 update to the Health Breach Notification Rule that many health apps and similar technologies are covered even when the Health Insurance Portability and Accountability Act does not apply to them. (ftc.gov) That means patients are being asked to trust two different systems at once: the traditional medical system governed by federal health privacy rules, and a fast-growing app economy governed by a different breach rule. When headlines mention CareCloud on one side and app enforcement on the other, the common thread is simple: your blood test, appointment history, or prescription list can travel farther than most people realize. (ftc.gov) (sec.gov)