HIPAA-Covered Entity, OpenLoop Health, reported a data breach affecting up to 716,000 individuals due to unauthorized access to its systems, resulting in the theft of files containing protected health information (PHI).
On March 17, 2026, OpenLoop Health submitted the breach report to the U.S. Department of Health and Human Services Office for Civil Rights. The incident listed on the OCR breach portal indicated that up to 716,000 were affected.
On March 24, 2026, OpenLoop Health Inc published details about the incident after sending the breach report. According to information submitted to the California Attorney General, OpenLoop Health discovered on January 7, 2026, that an unauthorized third party accessed parts of its systems and copied files containing sensitive information.
A forensic investigation determined that unauthorized access to the network occurred between January 7, 2026, and January 8, 2026. Third-party cybersecurity specialists investigated the incident to determine the scope of the breach, and to secure the affected systems against further unauthorized access.
OpenLoop Health stated that the breached data included names, addresses, email addresses, dates of birth, and medical information. Social Security numbers were not accessed or stolen. OpenLoop Health will send notifications by mail, and will inform the recipients about the free credit monitoring and identity theft protection services for affected individuals.
A threat actor using the name Stuckin2019 claimed responsibility for the incident in a hacking forum posting. The individual claimed to have obtained information associated with 1.6 million patients.
OpenLoop Health has not publicly confirmed the reported figure. Information published about the incident stated that threat actor claims can be exaggerated, may include duplicate records, or may be fabricated in part or in full.
Even if Stuckin2019 leaked samples of patient data to prove the data theft, OpenLoop Health has not publicly confirmed the validity of the claims regarding the total number of records allegedly obtained.
Information published by Databreaches.net stated that the forum listing connected to the OpenLoop Health incident remained online for two days before being removed. Databreaches.net also reported that communication with the threat actor through Tox indicated that payment had been received and the data had been deleted.
On March 24, 2026 when OpenLoop Health made the breach public, there was no post yet on the U.S. Department of Health and Human Services Office for Civil Rights breach portal. The incident was posted earlier on March 18, 2026 on the Office of the Texas Attorney General website, with 68,160 affected Texas residents.
A later update stated that the breach is already listed on the Office for Civil Rights breach portal with about 716,000 affected individuals.
