OpenLoop Health Data Breach–What You Need to Know & What to Do Next
OpenLoop Health, Inc. reported a data breach discovered in January 2026 that resulted in the exfiltration of personal and medical information belonging to tens of thousands of individuals who received telehealth services through the company’s platform. A threat actor has claimed the breach may have affected up to 1.6 million patients nationwide.
OpenLoop Health, Inc. is a Des Moines, Iowa-based digital health infrastructure provider that offers white-label telehealth solutions to healthcare and non-healthcare companies looking to launch or scale their virtual care offerings. Founded in 2020 by Dr. Jon Lensing and Christian Williams, the company has grown to support over 120 active clients with a network of more than 20,000 clinicians conducting over 250,000 patient visits monthly across all 50 states.
OpenLoop provides the backend clinical, technical, and operational systems that allow other companies to deliver telehealth services under their own brands. Client companies using OpenLoop’s infrastructure include Remedy Meds, MEDVi, Fridays (JoinFridays), Triad RX, and numerous other telehealth entities focused on weight loss, mental health, men’s health, and other specialties.
According to breach notification letters filed with state attorneys general, on January 7, 2026, OpenLoop learned that an unauthorized third party had gained access to certain systems and removed information. The company engaged external cybersecurity specialists to investigate and determined that the unauthorized access occurred from January 7 to January 8, 2026.
A threat actor using the moniker “stuckin2019” claimed responsibility for the incident in a forum posting on January 8, 2026, alleging to have obtained data from 1.6 million patients. The forum post was reportedly removed after two days, and according to one report, the threat actor claimed that payment was received and the data had been deleted.
What Information Was Exposed In the OpenLoop Health Data Breach?
According to OpenLoop Health’s breach notification letters filed with state attorneys general, the information involved in this incident includes names, addresses, email addresses, dates of birth, and medical information. The company stated that Social Security numbers were not accessed or stolen in the breach.
However, according to the threat actor’s claims, the exposed dataset may also include phone numbers and IP addresses. The alleged scope of the data theft—1.6 million patient records—significantly exceeds the official notification numbers, though threat actor claims are sometimes exaggerated.
Because OpenLoop provides the infrastructure for numerous telehealth companies, the breach potentially affects patients of multiple healthcare providers who may not have been aware that OpenLoop was processing their data. The exposure of medical information is particularly concerning as it can be used for medical identity theft, insurance fraud, and targeted phishing attacks.
How OpenLoop Health Responded to the Breach?
Upon discovering the breach on January 7, 2026, OpenLoop engaged external cybersecurity specialists to investigate and determine the nature and scope of the incident. The investigation confirmed that the unauthorized access was terminated and that the intrusion occurred over a period of approximately one day.
OpenLoop notified the Texas Attorney General on March 18, 2026, reporting that 68,160 Texas residents were affected. The company also filed notifications with other state attorneys general, including California and Rhode Island (approximately 2,200 residents). Affected individuals are being notified by U.S. mail, and in Texas, through broadcast on statewide media.
The company is offering complimentary identity monitoring services through IDX to affected individuals. According to the notification letters, individuals have until June 17, 2026, to activate their identity monitoring services using the unique code provided in their notification letter.
Larry Trittschuh, OpenLoop’s Chief Information Security Officer, confirmed that the company was subject to a security incident in January 2026. OpenLoop now faces multiple class action lawsuits alleging that the company failed to implement adequate data security measures and comply with HIPAA safeguards.
How to Check If Your Personal Info Is Exposed
If you have received telehealth services through any of the following companies or similar telehealth platforms, your information may have been processed by OpenLoop and potentially exposed in this breach: Remedy Meds (prescribing Keeps, Nurx, Cove), MEDVi, Fridays (JoinFridays), Triad RX, and other telehealth services focused on weight loss, mental health, men’s health, or other specialties.
Because OpenLoop operates as a white-label provider, many patients may not be aware that their data was processed through OpenLoop’s systems. If you have used any telehealth service in recent years, particularly those focused on prescription medications or specialty care, you should monitor for breach notification letters from OpenLoop or from the telehealth company through which you received services.
The incident is not yet shown on the HHS Office for Civil Rights breach portal, so the full scope of affected individuals may not yet be publicly known.
What You Can Do If Your Information Was Exposed
If you receive a data breach notification from OpenLoop Health or believe your information may have been exposed, you should take immediate protective action. Review your medical explanation of benefits statements for services you did not receive and monitor your financial accounts for any unfamiliar activity.
If you receive a notification letter, take advantage of the complimentary identity monitoring services offered through IDX before the June 17, 2026, deadline. The unique activation code in your letter is required to enroll.
Be particularly cautious of phishing attempts following this breach. Scammers may send emails, texts, or letters referencing the breach to trick you into sharing additional personal information. Verify any communications claiming to be from OpenLoop Health or related organizations independently before responding or clicking any links.
Given that email addresses, phone numbers, and IP addresses may have been exposed, be alert to unexpected emails, phone calls, or text messages that could be attempts to use the stolen data for fraud.
Understanding Your Legal Rights: Data Breach Lawyer Near Me
Victims of data breaches may be entitled to legal remedies if a company did not adequately safeguard their personal information. Multiple class action lawsuits have already been filed against OpenLoop Health, alleging that the company failed to comply with HIPAA safeguards and industry standards for protecting sensitive health information.
The lawsuits allege that OpenLoop had been on notice that healthcare companies are susceptible targets for data breaches, given highly publicized cyberattacks in the industry and FBI warnings dating back to 2014. Studies cited in the litigation indicate that confirmed identity theft cases stemming from healthcare data breaches have cost individuals an average of $20,000.
Almeida Law Group is actively reviewing the OpenLoop Health incident to determine what legal options may be available for those affected.
If you received telehealth services through a company powered by OpenLoop Health and believe your information may have been exposed, you can contact Almeida Law Group for a free consultation.
