Sensitive personal and health information belonging to thousands of individuals was allegedly exposed after a network disruption at a major healthcare technology provider, raising concerns about the protection of patient data in the digital age. The complaint was filed by Linda Arslanian on April 1, 2026, in the United States District Court for the District of New Jersey against CareCloud, Inc., following what is described as a significant data breach impacting patients across the country.
According to the class action complaint, CareCloud provides cloud-based software and services to medical practices and health systems, including electronic health records and billing solutions for over 40,000 providers. The suit alleges that on March 16, 2026, CareCloud experienced a temporary network disruption affecting one of its six electronic health record environments for approximately eight hours. During this period, it is claimed that unauthorized parties accessed and acquired files containing unencrypted personally identifiable information (PII) and protected health information (PHI) from patients whose data was managed by CareCloud.
The plaintiff asserts that CareCloud failed to implement reasonable security procedures and practices appropriate to the nature of the sensitive information it maintained. The complaint states: “Defendant failed to take precautions designed to keep individuals’ Private Information secure.” It further alleges that CareCloud had statutory, regulatory, contractual, and common law duties—including obligations under federal laws such as HIPAA (Health Insurance Portability and Accountability Act) and Section 5 of the Federal Trade Commission Act—to protect this private information from unauthorized access or disclosure.
Upon discovery of the incident, CareCloud reportedly launched an investigation into the scope and nature of the breach. However, Arslanian claims that both she and other affected individuals were not provided with timely or adequate notice regarding what types of information were unlawfully accessed or how they might be impacted. The complaint contends: “Defendant has yet to notify impacted people of the Data Breach.”
The filing describes various harms allegedly suffered by Arslanian and others whose data was compromised. These include an increased risk of identity theft or fraud; out-of-pocket expenses related to monitoring credit reports or changing passwords; emotional distress; invasion of privacy; loss of value in their personal data; diminished benefit from services paid for with an expectation of confidentiality; and ongoing risk due to continued possession of their private information by CareCloud.
Arslanian’s legal arguments rest on several grounds: negligence in failing to secure private information; negligence per se based on violations of federal statutes like HIPAA; breach of third-party beneficiary contracts between CareCloud and its clients (the medical providers); unjust enrichment through retention of payments intended for cybersecurity protections not delivered; violation of California’s Confidentiality of Medical Information Act (CMIA); and violation of the California Consumer Privacy Act (CCPA). For example, under CMIA allegations specific to California residents whose medical information was involved in the breach, plaintiffs seek compensatory damages as well as statutory penalties up to $3,000 per individual plus attorneys’ fees.
The suit also requests injunctive relief requiring CareCloud to strengthen its data security systems through periodic audits by third-party experts; provide lifetime credit monitoring and identity theft insurance for those affected; improve employee training around cybersecurity threats; promptly notify affected individuals about future breaches; segment user applications with firewalls and access controls; regularly scan databases for vulnerabilities; educate clients about protecting their own patients’ data; among other measures.
Plaintiff seeks certification for two classes: a nationwide class comprising all individuals whose private information was accessed or acquired during the breach, as well as a California subclass for state residents similarly affected. The complaint argues that class action treatment is appropriate given common questions about whether CareCloud’s security practices were reasonable under applicable laws.
Linda Arslanian is represented by undersigned counsel whose names are included in court filings but not specified in this excerpt. No judge’s name appears explicitly in this document. The case is identified as Case No.: 3:26-cv-03511.
Source: 326cv03511_Arslanian_v_Carecloud_Inc_Complaint_District_New_Jersey.pdf
