Active breach tracker Houston, TX Disclosed March 13, 2026

Lena Health Data Breach 2026 (FulcrumSec): 3,651 Patients Exposed Including 7,500+ Recorded Phone Calls. Houston Methodist Affected. What To Do

Bloom Circle, Inc. (d/b/a Lena Health), a Houston-based AI-driven care-coordination SaaS platform serving health systems including Houston Methodist, was breached in late 2025 by the FulcrumSec extortion group. Names, dates of birth, phone numbers, medical record numbers, 7,500+ recorded patient phone calls with AI transcriptions covering erectile dysfunction, incontinence, opioid prescriptions, and cardiac surgery for 3,651 individuals exposed. No public credit monitoring offer. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 1, 2025

Upstream vulnerability disclosed; patch issued

Dec 15, 2025

Intrusion: attacker exploits unpatched system + misconfigured public S3 bucket with unencrypted DB export

Jan 10, 2026

FulcrumSec contacts Lena Health directly; Lena initially acknowledges, then stops responding

Jan 26, 2026

FulcrumSec publishes Lena Health on leak site

Jan 28, 2026

DataBreaches.net publishes investigative report

Mar 13, 2026

HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number AI-generated call transcriptions (covering ED, incontinence, gangrene, cardiac surgery, opioid prescriptions)

03

Contact & insurance

Phishing + targeted scams

Full name Phone number 7,500+ recorded patient phone calls 68 hospital discharge documents 1,380 elderly-patient phone numbers API keys and staff login credentials
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Lena Health (corporate name: Bloom Circle, Inc.) is a Houston, Texas-based AI-driven care-coordination SaaS platform founded in 2019, operating out of the Texas Medical Center. The product is a “telephonic AI” platform combining LLM-driven outreach with human navigators — handling patient call queues, SMS scheduling, post-discharge follow-ups, and population-health outreach for health systems and clinics. Lena Health closed a $2M seed round in April 2025.

Houston Methodist is a named customer. Lena operates as a HIPAA business associate, holding patient call recordings and transcripts on behalf of its covered-entity clients. Patients are predominantly the health-system patients of Lena’s clients, not direct-to-consumer.

In mid-to-late December 2025, an attacker exploited an unpatched upstream vulnerability in Lena’s infrastructure and separately identified a misconfigured public-facing S3 bucket containing an unencrypted database export. On January 10, 2026, the threat actor FulcrumSec contacted Lena Health directly to extort payment. Lena initially acknowledged the contact, then stopped responding. On approximately January 26, 2026, FulcrumSec published Lena Health on its leak site. DataBreaches.net published an investigative report on January 28, 2026. Lena filed with HHS OCR on March 13, 2026 — confirming 3,651 affected individuals.

Early reporting cited 2,134 patients; the final OCR figure of 3,651 suggests forensic review expanded scope beyond Houston Methodist to additional Lena client patients.

FulcrumSec is a small extortion crew explicitly targeting AI-driven SaaS startups with inadequate security.

What makes this breach unusual

Lena Health holds call recordings and AI transcripts of patient conversations. The exfiltrated set is reported to include:

  • 7,500+ recorded patient phone calls (some reports: 19,542)
  • AI-generated call transcriptions covering erectile dysfunction, incontinence, gangrene, cardiac surgery, and opioid prescriptions
  • 68 hospital discharge documents
  • 1,380 elderly-patient phone numbers specifically flagged
  • API keys and staff login credentials

Voice recordings and verbatim transcripts of vulnerable elderly patients describing sensitive medical conditions represent an unusually severe exposure profile. Voice biometric data combined with full-name and medical-context information is not easily mitigated by typical post-breach remediation.

What is being offered

As of mid-May 2026, no public confirmation of credit monitoring, dedicated call center, or IDX/Kroll engagement has surfaced. Lena Health has not issued a public press statement. Houston Methodist has not commented publicly. Lena’s trust center at trust.lenaconnect.com does not display a breach notice.

If you receive a Lena Health or Houston Methodist notification letter, the letter will list what is being offered. Without published guidance, the typical industry baseline is 12-24 months of credit monitoring; do not assume any specific vendor.

What to do

  1. If you were a Houston Methodist patient with telephonic outreach, ask Houston Methodist directly about your inclusion and what protections are being offered.
  2. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  3. Be alert to phone-based phishing — your phone number and medical context are in scope, making targeted vishing campaigns more credible.
  4. If you discussed sensitive conditions on a Lena call (erectile dysfunction, incontinence, opioid use, end-of-life decisions), assume that information may be circulated and consider what disclosures you need to make to family, employers, or insurers proactively.
  5. Stop the ongoing flow of your care-coordination data. HealthConsent files HIPAA restriction requests covering vendor pathways including AI care-coordination and telephonic outreach platforms.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.