Lena Health Data Breach 2026 (FulcrumSec): 3,651 Patients Exposed Including 7,500+ Recorded Phone Calls. Houston Methodist Affected. What To Do
Bloom Circle, Inc. (d/b/a Lena Health), a Houston-based AI-driven care-coordination SaaS platform serving health systems including Houston Methodist, was breached in late 2025 by the FulcrumSec extortion group. Names, dates of birth, phone numbers, medical record numbers, 7,500+ recorded patient phone calls with AI transcriptions covering erectile dysfunction, incontinence, opioid prescriptions, and cardiac surgery for 3,651 individuals exposed. No public credit monitoring offer. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 1, 2025
Upstream vulnerability disclosed; patch issued
Dec 15, 2025
Intrusion: attacker exploits unpatched system + misconfigured public S3 bucket with unencrypted DB export
Jan 10, 2026
FulcrumSec contacts Lena Health directly; Lena initially acknowledges, then stops responding
Jan 26, 2026
FulcrumSec publishes Lena Health on leak site
Jan 28, 2026
DataBreaches.net publishes investigative report
Mar 13, 2026
HHS OCR filing
Dec 1, 2025
Upstream vulnerability disclosed; patch issued
Dec 15, 2025
Intrusion: attacker exploits unpatched system + misconfigured public S3 bucket with unencrypted DB export
Jan 10, 2026
FulcrumSec contacts Lena Health directly; Lena initially acknowledges, then stops responding
Jan 26, 2026
FulcrumSec publishes Lena Health on leak site
Jan 28, 2026
DataBreaches.net publishes investigative report
Mar 13, 2026
HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Lena Health (corporate name: Bloom Circle, Inc.) is a Houston, Texas-based AI-driven care-coordination SaaS platform founded in 2019, operating out of the Texas Medical Center. The product is a “telephonic AI” platform combining LLM-driven outreach with human navigators — handling patient call queues, SMS scheduling, post-discharge follow-ups, and population-health outreach for health systems and clinics. Lena Health closed a $2M seed round in April 2025.
Houston Methodist is a named customer. Lena operates as a HIPAA business associate, holding patient call recordings and transcripts on behalf of its covered-entity clients. Patients are predominantly the health-system patients of Lena’s clients, not direct-to-consumer.
In mid-to-late December 2025, an attacker exploited an unpatched upstream vulnerability in Lena’s infrastructure and separately identified a misconfigured public-facing S3 bucket containing an unencrypted database export. On January 10, 2026, the threat actor FulcrumSec contacted Lena Health directly to extort payment. Lena initially acknowledged the contact, then stopped responding. On approximately January 26, 2026, FulcrumSec published Lena Health on its leak site. DataBreaches.net published an investigative report on January 28, 2026. Lena filed with HHS OCR on March 13, 2026 — confirming 3,651 affected individuals.
Early reporting cited 2,134 patients; the final OCR figure of 3,651 suggests forensic review expanded scope beyond Houston Methodist to additional Lena client patients.
FulcrumSec is a small extortion crew explicitly targeting AI-driven SaaS startups with inadequate security.
What makes this breach unusual
Lena Health holds call recordings and AI transcripts of patient conversations. The exfiltrated set is reported to include:
- 7,500+ recorded patient phone calls (some reports: 19,542)
- AI-generated call transcriptions covering erectile dysfunction, incontinence, gangrene, cardiac surgery, and opioid prescriptions
- 68 hospital discharge documents
- 1,380 elderly-patient phone numbers specifically flagged
- API keys and staff login credentials
Voice recordings and verbatim transcripts of vulnerable elderly patients describing sensitive medical conditions represent an unusually severe exposure profile. Voice biometric data combined with full-name and medical-context information is not easily mitigated by typical post-breach remediation.
What is being offered
As of mid-May 2026, no public confirmation of credit monitoring, dedicated call center, or IDX/Kroll engagement has surfaced. Lena Health has not issued a public press statement. Houston Methodist has not commented publicly. Lena’s trust center at trust.lenaconnect.com does not display a breach notice.
If you receive a Lena Health or Houston Methodist notification letter, the letter will list what is being offered. Without published guidance, the typical industry baseline is 12-24 months of credit monitoring; do not assume any specific vendor.
What to do
- If you were a Houston Methodist patient with telephonic outreach, ask Houston Methodist directly about your inclusion and what protections are being offered.
- Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
- Be alert to phone-based phishing — your phone number and medical context are in scope, making targeted vishing campaigns more credible.
- If you discussed sensitive conditions on a Lena call (erectile dysfunction, incontinence, opioid use, end-of-life decisions), assume that information may be circulated and consider what disclosures you need to make to family, employers, or insurers proactively.
- Stop the ongoing flow of your care-coordination data. HealthConsent files HIPAA restriction requests covering vendor pathways including AI care-coordination and telephonic outreach platforms.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- DataBreaches.net: Lena Health Breach Exposed Houston Methodist Patients
- RedPacketSecurity: FulcrumSec Victim Lena Health
- Rankiteo: Lena Health Houston Methodist Breach Analysis
- Darknetsearch: Lena Health Breach Impact Analysis
- Lena Health Marketing Site
- Lena Health Trust Center (no breach notice as of 2026-05-15)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.