CareCloud confirmed unauthorized access to one of its six multi-tenant SaaS EHR environments on March 16, 2026, resulting in confirmed PHI exposure, an eight-hour network disruption, and an SEC disclosure filing. No CVE has been assigned and the initial access vector has not been publicly disclosed; CWE candidates include CWE-284 (Improper Access Control), CWE-200 (Exposure of Sensitive Information), and CWE-522 (Insufficiently Protected Credentials). Organizations using CareCloud EHR, revenue cycle management, practice management, or patient experience platforms should immediately confirm in writing whether their tenant resides in the affected environment, rotate all CareCloud-related credentials and API keys, and assess HIPAA breach notification obligations under their BAA.