OpenLoop Health Data Breach Affects 716,000 Individuals
On March 24, 2026, The HIPAA Journal reported on a data breach at the telehealth platform provider Open Loop Health (see below). The data breach had been reported to regulators, but it can take weeks for the incident to be added to the HHS Office for Civil Rights breach portal and for the scale of the breach to become clear. While the data breach was reported to OCR on March 17, 2026, it has only recently been added to the breach portal. That listing shows that the protected health information of up to 716,000 individuals was compromised in the incident.
March 24, 2026: Telehealth Platform Provider OpenLoop Health Discloses Data Breach
A major data breach has been reported by the telehealth platform provider OpenLoop Health Inc. While the total number of affected individuals has yet to be publicly disclosed, it could well be one of the largest healthcare data breaches of the year to date. According to the breach notice provided to the California Attorney General, OpenLoop Health learned on January 7, 2026, that an unauthorized third party had gained access to some of its systems and copied files containing sensitive data. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the incident and ensure that its systems were secured and could no longer be accessed.
The forensic investigation confirmed that the unauthorized third party had access to its network from January 7, 2026, to January 8, 2026, and the files exfiltrated from its systems included information such as names, addresses, email addresses, dates of birth, and medical information. OpenLoop Health said Social Security numbers were not accessed or stolen. Steps have since been taken to harden security, and the affected individuals are being notified by mail. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.
A threat actor with the moniker Stuckin2019 claimed responsibility for the incident in a hacking forum listing and claims to have obtained the information of 1.6 million patients. Threat actor claims may be exaggerated, the records may not all be unique, and in some cases, the claims are entirely fabricated. In this case, Stuckin2019 published samples of patient data as proof of data theft. OpenLoop Health has yet to publicly confirm the scale of the data breach or the validity of Stuckin2019’s claims. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, although the website of the Office of the Texas Attorney General lists an OpenLoop Health data breach affecting 68,160 state residents. That incident was published by the Texas Attorney General on March 18, 2026.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Databreaches.net reports that the Stuckin2019 is male and an individual rather than a group, who seemingly has form attacking telehealth companies. He claimed earlier this year to have attacked the New York telehealth company Zealthy, although the company has yet to publicly disclose any data breach. Databreaches reports that the OpenLoop Health forum post was only live for two days before being taken down, and in conversation with the hacker on Tox, was informed that payment was received and the data had been deleted.
