Clarification regarding recent TheraSaaS service activity

At TheraSaaS, we believe that the foundation of a great practice is trust. That’s why we want to address some recent misinformation circulating and provide you with a clear, direct update on our system’s security.

The Facts First

To be absolutely clear:

• TheraSaaS was not hacked.

• No data breach occurred.

• Patient records and financial information remain 100% secure.

We are aware of reports suggesting otherwise. We want to reassure our community that these claims are incorrect. Our internal systems and your private data have not been compromised.

What Actually Happened?

On April 8, 2026, our support team identified a nuisance-based attack targeted at a single, public-facing scheduling link belonging to one of our subscribers.

A spam bot (an automated script) began repeatedly interacting with a publicly accessible TheraSaaS calendar link. By booking "ghost" appointments in rapid succession, the bot triggered a high volume of automated confirmation emails and texts.

This caused an unusual spike in outbound communications (emails & texts) to fake international phone numbers and emails addresses. And, unfortunately, drained the affected subscriber’s account credits.

While this activity looked alarming from the outside, it was not a breach of our back-end systems. It was a targeted abuse of a public website form.

How We’ve Responded

Our priority was ensuring the safety of our users and the integrity of the platform:

• Zero Unauthorized Access: Our investigation confirmed that no unauthorized person gained access to any TheraSaaS accounts or databases.

• Subscriber Remediation: We have already worked with the affected subscriber to refund their account credits and implement specific safeguards for their links.

• System-Wide Updates: Our engineering team is beginning to deploy new detection layers to identify and block this specific type of bot behavior across the entire TheraSaaS platform.

Best Practices: How to Protect Your Practice

To help you maintain the highest level of protection against "nuisance" spam, we strongly recommend a simple proactive step:

Enable reCAPTCHA on all public forms.

Adding this "I’m not a robot" verification is the most effective way to ensure only real humans are interacting with your calendar or forms, protecting your outbound credits and your peace of mind.

Our Commitment

Security is a constant evolution. We take the responsibility of protecting your practice seriously and will always choose transparency over silence.

Thank you for being a part of the TheraSaaS community. If you have any questions about your account settings or these updates, our support team is ready to assist you.

Brent Stutzman
TheraSaaS, Founder