OPENLOOP Health confirmed a January 2026 cyberattack that exposed personal information of 716,000 individuals using its telehealth services. The breach was reported to authorities in March, but the full scope was only recently determined. OpenLoop learned on January 7, 2026, that an unauthorized third party had gained access to certain OpenLoop systems and removed information, with the unauthorized access occurring from January 7 to January 8, 2026, according to the data breach notification letter.
A hacker known as Stuckin2019 claimed responsibility for the breach and said they stole data belonging to 1.6 million patients, sharing samples as proof. The company said the incident did not involve customers’ electronic health records, Social Security numbers, or financial account information, and it offered affected individuals a free one-year IDX identity and credit monitoring service as a precaution. The US Department of Health and Human Services’ breach portal has since updated the number of impacted individuals.