716,000 Impacted by OpenLoop Health Data Breach

OpenLoop Health Discloses Breach Affecting 716,000 People

OpenLoop Health, a telehealth infrastructure and clinician network platform, has confirmed that a cyberattack in January 2026 compromised the personal information of approximately 716,000 individuals. The company disclosed the breach on May 13, 2026, as required under HIPAA's breach notification rules, which mandate notification to affected individuals and the Department of Health and Human Services within 60 days of a breach's discovery.

The incident is among the largest healthcare data breaches reported in 2026, affecting a population equivalent to the entire city of Seattle.

What Is OpenLoop Health?

OpenLoop Health operates as a telehealth enablement platform, providing healthcare technology infrastructure and clinician networks to other digital health companies. Rather than serving patients directly as a consumer-facing telehealth provider, OpenLoop acts as a backend infrastructure provider — supplying clinical staffing, electronic health record integrations, and care delivery infrastructure to other telehealth brands.

This model means that OpenLoop's systems may contain data from patients who believe they are using a different telehealth service provider, potentially affecting individuals who have no direct relationship with the OpenLoop brand.

Details of the Breach

According to OpenLoop's breach notification filings, the attack occurred in January 2026 and involved unauthorized access to systems containing personal and health-related information. The exfiltrated data reportedly includes:

Full names and dates of birth
Contact information (addresses, phone numbers, email addresses)
Health information, potentially including diagnoses, treatment records, and prescription data
Insurance information in some cases
Social Security numbers for a subset of affected individuals

The company has not publicly identified the threat actor responsible for the attack or disclosed the specific attack vector used to gain initial access. Law enforcement has been notified.

HIPAA Implications

The scale of the breach places OpenLoop Health under significant regulatory scrutiny. Under the Health Insurance Portability and Accountability Act (HIPAA):

Affected individuals must be notified within 60 days of breach discovery
The Department of Health and Human Services Office for Civil Rights (OCR) must be notified
Breaches affecting more than 500 residents of a state or jurisdiction require media notification in that area
The HHS OCR will investigate and may impose civil monetary penalties

Healthcare data breaches carry some of the highest per-record costs of any industry, with IBM's Cost of a Data Breach report consistently placing healthcare breach costs at over $10 million per incident on average. Protected Health Information (PHI) is particularly valuable on underground markets because it enables:

Medical identity theft to fraudulently obtain prescriptions or medical procedures
Insurance fraud using stolen policy information
Targeted phishing using detailed personal and health context
Extortion of individuals with sensitive health conditions

Broader Healthcare Breach Landscape in 2026

The OpenLoop breach is part of a troubling pattern of healthcare sector cyberattacks in 2026. The industry has faced:

West Pharmaceutical Services ransomware attack (May 2026)
Sandhills Medical ransomware affecting 170,000 patients (April 2026)
Healthcare software provider ChipSoft ransomware attack disrupting Dutch hospital operations (April 2026)
CareCloud/TriZetto breach affecting 3.4 million healthcare records (March 2026)
Covenant Health ransomware breach (February 2026)

Healthcare organizations remain disproportionately targeted by ransomware groups and data extortion actors due to:

High data value: PHI commands premium prices on underground forums
Operational pressure: Healthcare cannot afford extended downtime, increasing ransom payment likelihood
Legacy infrastructure: Older systems are harder to patch and more vulnerable to exploitation
Broad attack surface: Telehealth expansion has dramatically increased the number of internet-connected healthcare endpoints

Protecting Yourself If Affected

Individuals who receive notification letters from OpenLoop Health should take the following steps:

Credit freeze: Place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) to prevent new account fraud
Medical identity theft monitoring: Contact your health insurer to request a review of your Explanation of Benefits statements for unfamiliar claims
Phishing vigilance: Be alert to healthcare-themed phishing emails that may use your breach data for social engineering
Identity theft protection: Enroll in any free monitoring services offered by OpenLoop as part of breach remediation
Review SSN exposure: If your Social Security number was included, consider filing an IRS identity protection PIN

Regulatory Response Expected

Given the scale and sensitivity of the data involved, OCR is expected to open a formal investigation into OpenLoop Health's HIPAA compliance and security practices at the time of the breach. Financial penalties could follow if investigators determine that the company failed to implement required security controls, such as:

Risk analysis and risk management programs
Access controls and audit controls
Transmission security for electronic PHI
Workforce security training and awareness

Source: SecurityWeek, May 13, 2026

OpenLoop Health Discloses Breach Affecting 716,000 People

The incident is among the largest healthcare data breaches reported in 2026, affecting a population equivalent to the entire city of Seattle.

What Is OpenLoop Health?

Details of the Breach

Full names and dates of birth
Contact information (addresses, phone numbers, email addresses)
Health information, potentially including diagnoses, treatment records, and prescription data
Insurance information in some cases
Social Security numbers for a subset of affected individuals

The company has not publicly identified the threat actor responsible for the attack or disclosed the specific attack vector used to gain initial access. Law enforcement has been notified.

HIPAA Implications

The scale of the breach places OpenLoop Health under significant regulatory scrutiny. Under the Health Insurance Portability and Accountability Act (HIPAA):

Affected individuals must be notified within 60 days of breach discovery
The Department of Health and Human Services Office for Civil Rights (OCR) must be notified
Breaches affecting more than 500 residents of a state or jurisdiction require media notification in that area
The HHS OCR will investigate and may impose civil monetary penalties

Medical identity theft to fraudulently obtain prescriptions or medical procedures
Insurance fraud using stolen policy information
Targeted phishing using detailed personal and health context
Extortion of individuals with sensitive health conditions

Broader Healthcare Breach Landscape in 2026

The OpenLoop breach is part of a troubling pattern of healthcare sector cyberattacks in 2026. The industry has faced:

West Pharmaceutical Services ransomware attack (May 2026)
Sandhills Medical ransomware affecting 170,000 patients (April 2026)
Healthcare software provider ChipSoft ransomware attack disrupting Dutch hospital operations (April 2026)
CareCloud/TriZetto breach affecting 3.4 million healthcare records (March 2026)
Covenant Health ransomware breach (February 2026)

Healthcare organizations remain disproportionately targeted by ransomware groups and data extortion actors due to:

High data value: PHI commands premium prices on underground forums
Operational pressure: Healthcare cannot afford extended downtime, increasing ransom payment likelihood
Legacy infrastructure: Older systems are harder to patch and more vulnerable to exploitation
Broad attack surface: Telehealth expansion has dramatically increased the number of internet-connected healthcare endpoints

Protecting Yourself If Affected

Individuals who receive notification letters from OpenLoop Health should take the following steps:

Credit freeze: Place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) to prevent new account fraud
Medical identity theft monitoring: Contact your health insurer to request a review of your Explanation of Benefits statements for unfamiliar claims
Phishing vigilance: Be alert to healthcare-themed phishing emails that may use your breach data for social engineering
Identity theft protection: Enroll in any free monitoring services offered by OpenLoop as part of breach remediation
Review SSN exposure: If your Social Security number was included, consider filing an IRS identity protection PIN

Regulatory Response Expected

Risk analysis and risk management programs
Access controls and audit controls
Transmission security for electronic PHI
Workforce security training and awareness

Source: SecurityWeek, May 13, 2026

716,000 Impacted by OpenLoop Health Data Breach

OpenLoop Health Discloses Breach Affecting 716,000 People

What Is OpenLoop Health?

Details of the Breach

HIPAA Implications

Broader Healthcare Breach Landscape in 2026

Protecting Yourself If Affected

Regulatory Response Expected

Hims & Hers Breach Exposes the Most Sensitive Kinds of Patient PHI

Cognizant TriZetto Breach Exposes Health Data of 3.4

250,000 Affected by Data Breach at Nacogdoches Memorial Hospital

716,000 Impacted by OpenLoop Health Data Breach

OpenLoop Health Discloses Breach Affecting 716,000 People

What Is OpenLoop Health?

Details of the Breach

HIPAA Implications

Broader Healthcare Breach Landscape in 2026

Protecting Yourself If Affected

Regulatory Response Expected

Hims & Hers Breach Exposes the Most Sensitive Kinds of Patient PHI

Cognizant TriZetto Breach Exposes Health Data of 3.4

250,000 Affected by Data Breach at Nacogdoches Memorial Hospital