A Telehealth Platform Lost 716,000 People's Health Data in Two Days — and Took Four Months to Say So

OpenLoop Health's attackers were inside for about 48 hours in January. They left with the names, addresses, birth dates, and medical information of 716,000 people — and a threat actor now claims the real number is more than double that. The platform told the public roughly four months later.

DES MOINES, IA — OpenLoop Health, a US telehealth platform that provides virtual-care infrastructure for both consumer and business healthcare clients, has confirmed that a January 2026 cyberattack exposed the personal information of approximately 716,000 individuals. According to the company and reporting by SecurityWeek and the HIPAA Journal, an unauthorized third party had access to OpenLoop's network from January 7 to January 8, 2026 — a window of roughly 48 hours — and copied files containing names, addresses, email addresses, dates of birth, and medical information. OpenLoop says Social Security numbers were not accessed or stolen. The company learned of the intrusion on January 7, reported it to authorities in March, and only recently determined the full scope; affected individuals are now being notified by mail and offered complimentary credit monitoring and identity-theft protection.

Two facts complicate the official account. First, a threat actor using the moniker Stuckin2019 has claimed responsibility in a hacking-forum listing and claims to hold the information of 1.6 million patients — more than double OpenLoop's confirmed figure. Claimed totals from criminal forums are routinely inflated and should be treated with skepticism, but the gap is wide enough that the confirmed 716,000 should be read as a floor, not a settled number. Second, the timeline: a breach discovered on January 7, reported to authorities in March, and disclosed publicly in May is a roughly four-month gap between incident and public notification. The HIPAA Breach Notification Rule generally requires covered entities to notify affected individuals and the HHS Office for Civil Rights within 60 days of discovery, and OpenLoop's timeline will invite scrutiny of when "discovery" is deemed to have occurred and whether the notification clock was met.

Telehealth Platforms Are a Concentrated Healthcare Attack Surface

OpenLoop Health is not a hospital, and that is precisely why this breach matters. It is a telehealth platform — infrastructure that other healthcare and consumer companies plug into to deliver virtual care. That business model aggregates protected health information from many provider and patient interactions into one place, without necessarily inheriting the security maturity of an established hospital system. A 48-hour intrusion walked out with structured records on 716,000 people because the records were all there to take. The CyberSignal has been documenting this concentration risk across the healthcare sector — the Atrium Health breach traced back to a Cerner and Oracle Health repository, ransomware that forced West Pharmaceutical to take global systems offline — and OpenLoop extends the pattern to the telehealth tier specifically.

For healthcare CISOs and compliance officers, the practical takeaway is to treat telehealth platforms as a named category of vendor risk, not an afterthought. If your organization sends patient data through a telehealth partner, that partner's security posture is your security posture, and its breach is your breach to disclose. Audit those relationships, review the business associate agreements, and build telehealth-platform compromise into your sector risk register alongside EHR-vendor and pharmaceutical-supply-chain compromise. The 2026 healthcare critical-infrastructure pattern is now broad enough — EHR vendors, pharmaceutical packaging, telehealth platforms — that treating any one of them as a niche concern is a planning failure.

Four Months Is the Other Story

The breach itself is serious; the disclosure timeline is its own problem. OpenLoop learned of the intrusion on January 7, 2026, reported it to authorities in March, and notified the public in May — roughly four months from discovery to public notification. The HIPAA Breach Notification Rule generally requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovery, with notification to the HHS Office for Civil Rights on the same clock for breaches affecting 500 or more individuals. OpenLoop's timeline does not automatically mean a violation — the rule turns on when a breach is formally "discovered" and how scope determination interacts with the clock — but a four-month public-disclosure gap on a 716,000-person health-data breach is exactly the kind of timeline HHS OCR examines.

The lesson for every healthcare compliance team is to treat the notification clock as an operational deadline with a documented decision trail, not a best-effort target. Know when your organization considers a breach "discovered," document that determination, and be able to show why scope analysis did or did not delay individual notification. The CyberSignal has covered the enforcement direction this points toward — state attorneys general pursuing consumer-data cases aggressively, as in the GM driver-data settlement — and healthcare breaches of this size sit squarely in the path of both HHS OCR and state regulators. A breach is a bad day; a breach plus a notification-timeline finding is a worse one, and the second part is avoidable.

What the 716,000 Number Does Not Settle

OpenLoop's confirmed figure is 716,000 individuals. The threat actor Stuckin2019 claims 1.6 million. The honest position is that the confirmed number is a floor. Criminal-forum claims are routinely inflated to drive attention and pressure, and there is no reason to take Stuckin2019's figure at face value — but a discrepancy this large means the scope determination that produced 716,000 is worth watching, and downstream organizations should not treat the confirmed number as final. If your organization is an OpenLoop business client, the action is to engage OpenLoop directly for a specific impact statement about your patients' data rather than relying on the public figure, and to audit your business associate agreement for breach-response and indemnification terms.

For telehealth platforms themselves, OpenLoop is a free tabletop exercise in what concentrated PHI aggregation invites. The architectural reality — many clients' patient data pooled into shared infrastructure — is the business model, so the defensive answer is not to un-aggregate but to instrument the aggregation: enhanced detection for bulk-export and bulk-query patterns, tight monitoring of administrative access to PHI stores, and exfiltration detection tuned to the structured-records-leaving-in-a-48-hour-window profile this breach fits. The platforms that survive the 2026 healthcare critical-infrastructure threat environment will be the ones that treat their own data-aggregation layer as the crown jewel an attacker will come for, because OpenLoop just demonstrated that one will.

The CyberSignal Analysis

Signal 01 — Telehealth Platforms Belong on the Healthcare Sector Risk Register Now

OpenLoop's breach extends the 2026 healthcare critical-infrastructure compromise pattern — already documented across EHR vendors and pharmaceutical supply chains — to the telehealth tier. Telehealth platforms aggregate protected health information from many clients into shared infrastructure, creating concentrated risk without necessarily carrying hospital-grade security maturity; a 48-hour intrusion exposed 716,000 records for exactly that reason. Healthcare CISOs and compliance officers should treat telehealth platforms as a named vendor-risk category: audit those relationships, review business associate agreements, and add telehealth-platform compromise to the sector risk register. If you are an OpenLoop business client, engage the company directly for a specific impact statement rather than relying on the public 716,000 figure — which, given the threat actor's larger claim, should be read as a floor.

Signal 02 — The Notification Clock Is an Operational Deadline, Not a Best-Effort Target

OpenLoop discovered the breach on January 7, reported to authorities in March, and disclosed publicly in May — roughly four months, against a HIPAA Breach Notification Rule that generally requires individual and HHS OCR notification within 60 days of discovery. Whether that timeline complies turns on when "discovery" is deemed to have occurred, but a gap this size on a 716,000-person health-data breach is exactly what HHS OCR and state attorneys general examine. Every healthcare compliance team should treat the 60-day clock as a hard operational deadline with a documented decision trail: define and record when a breach is "discovered," document how scope determination interacts with the clock, and be able to show the reasoning. A breach plus a notification-timeline finding is a worse outcome than the breach alone — and the second part is within the organization's control.

What to Do This Week

1. Healthcare CISOs and compliance officers: add telehealth platforms to your sector vendor-risk register as a named category. Audit your telehealth partner relationships and review the business associate agreements for breach-response and indemnification terms.
2. If your organization is an OpenLoop Health business client, engage OpenLoop directly for a specific impact statement about your patients' data — do not rely on the public 716,000 figure, which the threat actor's larger claim suggests should be treated as a floor.
3. Healthcare compliance teams: treat the HIPAA 60-day breach-notification clock as a hard operational deadline. Define and document when your organization considers a breach "discovered," and record how scope determination interacts with the notification timeline.
4. Telehealth platform operators: instrument your data-aggregation layer. Implement enhanced detection for bulk-export and bulk-query patterns, tight monitoring of administrative access to PHI stores, and exfiltration detection tuned to structured records leaving in a short window.
5. SOC and threat-hunting teams in healthcare: hunt for the breach profile this incident fits — a short-duration intrusion exfiltrating structured patient records — and audit administrative access paths to any system that aggregates PHI across multiple clients or providers.

Sources