OpenLoop Health Data Breach 2026: 716,000 Telehealth Patients Exposed Across 120 Brand Partners. What Was Stolen and What To Do
OpenLoop Health, the white-label telehealth infrastructure platform powering ~120 direct-to-consumer brands including Remedy Meds, MEDVi, JoinFridays, and Triad RX, disclosed in March 2026 a January 7 to 8 breach affecting 716,000 patients. A lone threat actor briefly posted samples claiming 1.6 million records. If you received care from any DTC telehealth brand, here is what was taken and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 7, 2026
Unauthorized access began; detected same day
Jan 7, 2026
Attacker gained access
Jan 8, 2026
Containment; threat actor posts sample on hacking forum
Feb 16, 2026
First federal complaint filed (Morehart v. OpenLoop, S.D. Iowa)
Mar 17, 2026
Filed with HHS OCR; individual letters mailed
Mar 23, 2026
Public press release issued
Jan 7, 2026
Unauthorized access began; detected same day
Jan 7, 2026
Attacker gained access
Jan 8, 2026
Containment; threat actor posts sample on hacking forum
Feb 16, 2026
First federal complaint filed (Morehart v. OpenLoop, S.D. Iowa)
Mar 17, 2026
Filed with HHS OCR; individual letters mailed
Mar 23, 2026
Public press release issued
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
OpenLoop Health is a Des Moines, Iowa telehealth infrastructure company that powers virtual-care for approximately 120 direct-to-consumer healthcare brands. If you used a DTC health app for weight-loss medication, men’s-health prescriptions, mental-health visits, or general primary-care telehealth in the last several years, OpenLoop may have processed your visit on the back end even though you never saw the OpenLoop name.
On January 7, 2026, OpenLoop detected unauthorized access to its systems. The intrusion was contained within 24 hours. The next day, a threat actor using the handle “Stuckin2019” posted a sample of stolen data on a hacking forum, claiming to hold 1.6 million records. The forum listing was taken down approximately two days later. The threat actor told the security blog DataBreaches.net that payment was received and the data had been deleted; OpenLoop has not publicly confirmed any payment.
OpenLoop filed with the US Department of Health and Human Services Office for Civil Rights on March 17, 2026, confirming 716,000 individuals were affected. The threat actor’s 1.6 million claim has not been substantiated. State attorneys general in Texas (68,160 residents), California, and Rhode Island (approximately 2,200 residents) received parallel filings.
Notably absent: no filing has been located on the Iowa Attorney General’s 2026 breach list despite OpenLoop being headquartered in Iowa. No standalone OpenLoop incident notice page exists on openloophealth.com (the URL openloophealth.com/notice-of-data-security-incident returns a 404). The only first-party public notice is the PR Newswire release.
What was stolen
The OpenLoop notification letter (per the California AG filing) confirms that the compromised data may have included:
- Full name
- Home address
- Email address
- Date of birth
- Medical information
The notification letter explicitly states that electronic health records, Social Security numbers, and financial account information were not affected.
However, the threat actor’s forum posting and sample data included a broader category set: phone numbers, IP addresses, heights and weights, biometric data, prescription information, and FedEx tracking details. The discrepancy between OpenLoop’s letter and the actor’s claim is not officially reconciled. If you have used any OpenLoop-powered telehealth service, assume the broader set may apply.
Who is affected (brand partners)
OpenLoop powers an estimated 120 direct-to-consumer healthcare brands. Most brand partners have not publicly named themselves as affected. Named in independent analyst reporting:
- Remedy Meds (general prescription telehealth)
- MEDVi (DTC health platform)
- Fridays / JoinFridays (weight-loss telehealth)
- Triad RX (prescription services)
If you have used any DTC telehealth brand for weight-loss medications (GLP-1 agonists, semaglutide, tirzepatide), men’s-health prescriptions, mental-health visits, hair-loss medications, or similar virtual-care services, your visit may have been processed through OpenLoop. The brand you saw on the app or website is not necessarily the entity that handled the underlying health data. Check whether your prescription bottle, insurance billing, or appointment confirmation references OpenLoop Health.
What OpenLoop is offering
Affected individuals are being directed to IDX (a ZeroFox-owned identity-protection vendor) for 12 months of complimentary identity and credit monitoring, including fraud consultation and CyberScan monitoring.
- Enrollment:
response.idx.us/OpenLoop(activation code from the notification letter required) - Phone: 1-844-539-9781
- Enrollment deadline: June 17, 2026
- Direct OpenLoop contact: Larry Trittschuh, 1-844-819-7956
Credit monitoring catches identity theft signals on the credit report side. Because SSN and financial account info were not exposed in this breach, the more pressing concern is targeted phishing using your prescription and medical details, and the long tail of your health data circulating through downstream data brokers and ad-tech buyers.
What to do if you received a notification letter
This week:
- Enroll in IDX before June 17, 2026. The deadline is firm.
- Treat any unexpected pharmacy, FedEx, or telehealth-related email or text as a probable phishing attempt. The actor’s data included FedEx tracking details, which gives criminals enough specificity to craft very convincing “your prescription shipment has an issue, click here” scams.
- Change passwords on any DTC telehealth service you have used. Email address and date of birth are common password-reset fields.
This month:
- Stop the ongoing flow of your prescription and telehealth data. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across data brokers, ad-tech buyers, and consumer-health platforms so the prescription and behavioral-health data exposed in this breach is not continuously re-sold downstream.
- Audit which DTC health brands you have ever used. If any of them are OpenLoop-powered, request data deletion from each of those brands separately under CCPA / Washington MHMDA / Connecticut / Virginia / Colorado state privacy laws.
Frequently asked questions
How do I know if I am affected?
You may not know. Most OpenLoop brand partners have not publicly disclosed their relationship with OpenLoop. If you used any DTC telehealth product in 2025 or early 2026, especially weight-loss, men’s-health, mental-health, or prescription-renewal services, you may be included. Watch your mail for an IDX-branded notification letter and the OpenLoop enrollment code.
Why does the threat actor claim 1.6 million but OpenLoop says 716,000?
OpenLoop’s number reflects the records the company has confirmed were exposed in the forensic investigation. The actor’s claim is unverified. The discrepancy could reflect: (a) actor exaggeration, (b) deduplication differences, (c) records the actor accessed but did not exfiltrate, or (d) records OpenLoop has not yet identified as affected. The OCR-filed number is the authoritative count under HIPAA.
Was a ransomware group involved?
No. “Stuckin2019” presented as a lone individual. The actor told DataBreaches.net that the data was deleted after payment, but no group like BlackCat, Cl0p, Medusa, or RansomHub claimed responsibility. The incident does not fit the ransomware-as-a-service pattern.
Should I sue?
At least four federal class actions have been filed in the Southern District of Iowa (Des Moines Division): Morehart v. OpenLoop Health (4:26-cv-00074), Alvarez v. OpenLoop Health (4:26-cv-00083), Allen v. OpenLoop Health (4:26-cv-00097), and Mendosa v. OpenLoop Health (4:26-cv-00123). Multiple plaintiffs’ firms are accepting affected individuals (see Quick Facts above). We are not a law firm and cannot give legal advice.
Is HealthConsent affiliated with OpenLoop or any of its brand partners?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- OpenLoop Health: Data Security Incident Press Release
- California Attorney General: OpenLoop Filing
- California Attorney General: OpenLoop Notification Letter
- HIPAA Journal: OpenLoop Health Data Breach
- SecurityWeek: 716,000 Impacted by OpenLoop Health Breach
- DataBreaches.net: 3.7 Million Telehealth Patients Allegedly Affected
- Sentra: OpenLoop Health Breach Aggregator Analysis (120 brands)
- Iowa Capital Dispatch: Iowa Company Faces Lawsuit
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.