OpenLoop Health, a Des Moines, Iowa-based telehealth infrastructure company, disclosed Tuesday that attackers accessed patient data during a two-day window in January 2026, affecting at least 716,000 individuals. The breach occurred on January 7–8, 2026, and was discovered on the first day of intrusion. Public notification came more than four months later, following an update to the HHS breach portal in May 2026. A threat actor claiming responsibility for the breach disputes the official victim count, alleging the true number of affected individuals exceeds 1.6 million — more than double the figure OpenLoop reported to federal regulators.
OpenLoop Health Breach: Two Days of Access, Four Months to Disclosure
OpenLoop Health’s breach timeline begins January 7, 2026, when the company’s systems were accessed by an unauthorized party. The intrusion continued into January 8 before being contained. Discovery occurred on the day access began, according to OpenLoop’s disclosure, meaning the company identified the intrusion while it was still active or immediately after containment.
Despite same-day detection, the breach was reported to the Department of Health and Human Services in March 2026 — approximately two months after the incident. The HHS breach portal, which triggers public visibility under HIPAA’s notification requirements, was not updated until May 13, 2026 — more than four months after the intrusion occurred. HIPAA generally requires covered entities and their business associates to notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach affecting more than 500 individuals.
What Data Was Exposed and What Notifications Were Filed
OpenLoop Health confirmed that the following categories of personal and medical information were exposed: names, physical addresses, email addresses, dates of birth, and medical data. The company confirmed that electronic health records, Social Security numbers, and financial account information were not exposed in the breach.
OpenLoop filed notifications with three regulatory bodies: the Department of Health and Human Services under HIPAA, the California Attorney General, and the Texas Attorney General. Filing with multiple state attorneys general indicates that a portion of the affected individuals reside in states with separate breach notification requirements beyond the federal HIPAA framework. Affected individuals are receiving 12 months of complimentary identity and credit monitoring services.
The Gap Between the 716,000 Official Count and the 1.6 Million Claim
A threat actor claiming responsibility for the breach published their own figure: 1.6 million individuals affected. The discrepancy between the claimed 1.6 million and OpenLoop’s disclosed 716,000 is substantial — a difference of approximately 884,000 people. Significant gaps between official and threat-actor-claimed victim counts are not unusual following data breaches, as attackers may exaggerate their claims to increase leverage, or may have accessed data from multiple systems while only a subset was identified by the victim during forensic investigation.
The size of the discrepancy, combined with the four-month notification delay, raises questions about the completeness and timeline of OpenLoop’s breach scope determination. Whether the official figure represents the full scope of affected individuals or a partial count from an investigation still underway at time of disclosure is not addressed in the company’s public communications.
OpenLoop’s Role as Telehealth Infrastructure for Multiple Healthcare Brands
OpenLoop Health’s position as a white-label digital health infrastructure provider amplifies the breach’s potential reach beyond the company itself. OpenLoop provides the backend platform through which other healthcare organizations and consumer companies deliver virtual care services to their own customers. This business-to-business model means that the 716,000 individuals in the official breach count — and any additional affected individuals beyond that figure — are primarily patients of the consumer-facing brands built on top of OpenLoop’s infrastructure, not OpenLoop customers directly.
The breach of a shared infrastructure layer thus affects individuals who may have no direct knowledge of OpenLoop Health’s involvement in their care. Patients of telehealth services built on OpenLoop’s platform may receive breach notifications with OpenLoop’s name attached to a company they have never interacted with directly — a consequence of the layered nature of digital health platforms where infrastructure providers hold patient data for multiple front-end organizations simultaneously.
