Cyber Incident Victim: OpenLoop Health

On January 7, 2026, OpenLoop Health detected unauthorized access to its systems and determined that the intrusion had begun on that date and continued through January 8. OpenLoop Health said it immediately terminated the unauthorized access and launched an investigation into the matter with assistance from external cybersecurity specialists. According to notification letters filed with the Attorney General’s Offices in California and Texas, the breach was initially reported to relevant authorities in March, although the exact number of affected individuals was not entered into the U.S. Department of Health and Human Services’ breach portal until the week of the article’s publication.

The compromised data included names, physical addresses, email addresses, birth dates, and certain medical information, but the notification letters explicitly stated that electronic health records, Social Security numbers, and financial account information were not accessed. OpenLoop Health estimated that 716,000 individuals had their personal information exposed as a result of the January intrusion. The company noted that it had no evidence of misuse of the stolen data at the time of notification, yet it advised affected individuals to remain alert for potential fraud or identity theft.

In response to the incident, OpenLoop Health implemented additional security controls and coordinated with law enforcement agencies. The company also offered one year of free identity and credit monitoring services to all impacted individuals. A threat actor later claimed responsibility for the attack, asserting that they had obtained data from 1.6 million individuals, a figure that exceeds the number confirmed by the company. OpenLoop Health, headquartered in Des Moines, Iowa, provides white‑label digital health infrastructure that enables healthcare and consumer organizations to deliver virtual care services.