What happened
The scale of a data breach at telehealth platform provider OpenLoop Health has been confirmed through the HHS Office for Civil Rights breach portal, with the incident now listed as affecting up to 716,000 individuals. The breach was initially reported to OCR on March 17, 2026, but has only recently appeared on the portal with a confirmed figure.
OpenLoop Health learned of the breach on January 7, 2026, when an unauthorized third party gained access to its systems and copied files containing sensitive patient data. The intrusion window was narrow, spanning January 7 to January 8, but the exfiltrated files contained names, addresses, email addresses, dates of birth, and medical information. OpenLoop confirmed Social Security numbers were not accessed. Third-party cybersecurity specialists were engaged, systems were secured, and affected individuals are being notified by mail with complimentary credit monitoring and identity theft protection offered.
A threat actor using the moniker Stuckin2019 claimed responsibility on a hacking forum and alleged theft of data belonging to 1.6 million patients, publishing sample data as proof. The forum post was live for only two days before being taken down. The Texas Attorney General’s office separately listed the breach as affecting 68,160 Texas residents. The gap between the threat actor’s claimed figure and the OCR-confirmed 716,000 may reflect duplicate records, non-unique entries, or exaggeration.
Who is affected
Up to 716,000 individuals whose personal and medical information was stored in OpenLoop Health’s systems face potential exposure. OpenLoop provides telehealth platform services to healthcare organizations, meaning the affected population spans patients across multiple client organizations rather than direct OpenLoop consumers.
Why CISOs should care
The OCR breach portal listing confirms this as one of the larger telehealth data breaches of 2026 to date. The one-day intrusion window that resulted in data affecting 716,000 individuals illustrates how quickly a brief unauthorized access event can produce significant downstream exposure when the target holds aggregated patient data across multiple client organizations.
The threat actor’s profile is also worth noting. Stuckin2019 appears to be an individual with a pattern of targeting telehealth companies specifically, suggesting deliberate sector targeting rather than opportunistic attack. For telehealth platform providers and their client healthcare organizations, this indicates an active and focused threat actor operating in the space.
3 practical actions
Verify whether your organization uses OpenLoop Health services and assess potential patient data exposure: OpenLoop provides platform services to healthcare organizations, meaning downstream client organizations may have patient data affected without yet receiving direct notification. Confirm your relationship with OpenLoop and whether patient records processed through its platform fall within the confirmed breach scope.
Implement real-time alerting for unauthorized data access on systems holding aggregated patient records: The breach window was one day. Detection within that window would have required automated alerting on anomalous data access volume or unusual file copy activity. Review whether your monitoring controls would identify similar short-duration exfiltration events on systems holding large volumes of patient data.
Review third-party telehealth and platform vendor security requirements: Telehealth platform providers hold aggregated patient data on behalf of multiple client organizations, creating a high-value concentrated target. Ensure that vendor security assessments for telehealth and health IT platform providers include requirements for real-time breach detection, defined notification timelines, and audit logging sufficient to determine scope within hours rather than days.
Also in the news today:
- TrickMo Android Banker Adopts TON Blockchain for Covert Command-and-Control
- New GhostLock Tool Abuses Windows API to Block File Access
- OpenAI Launches Daybreak Initiative to Automate Vulnerability Detection and Remediation
- Texas Sues Netflix Over Alleged Unauthorized Data Collection and Sharing
- UK Water Company Fined After Hackers Lurked Undetected for Nearly Two Years
- Instructure Pays Ransom to Resolve Canvas Data Breach Affecting 275 Million Users
