Active breach tracker San Francisco, CA Disclosed April 30, 2026

Ouster Data Breach 2026: 574 Employee Health Plan Members Exposed. Public LiDAR Company. No Public Disclosure Yet. What To Do

Ouster, Inc. (NYSE: OUST), the publicly-traded LiDAR sensor manufacturer headquartered in San Francisco, filed an HHS OCR breach in April 2026 affecting 574 individuals — almost certainly the company's employee group health plan, not LiDAR products. No public disclosure, no SEC 8-K, and no California AG entry has surfaced as of mid-May 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 30, 2026

HHS OCR filing (no other dates disclosed)

Apr 30, 2026

Attacker gained access

Apr 30, 2026

Breach detected

Data exposed

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Ouster, Inc. (NYSE: OUST) is a publicly-traded LiDAR sensor manufacturer headquartered at 350 Treat Avenue in San Francisco, California. The company is not a healthcare provider — its commercial business is automotive, industrial, and robotics LiDAR sensors.

The HHS OCR filing covers 574 affected individuals — a headcount consistent with Ouster’s high-hundreds employee base. HIPAA jurisdiction almost certainly attaches via Ouster’s self-funded or self-administered employee group health plan as a HIPAA-covered entity, not through LiDAR products or customer data.

Ouster filed with HHS OCR on April 30, 2026 — Unauthorized Access/Disclosure at Network Server.

Why this page is sparse

As of mid-May 2026 — 15 days after the OCR filing — Ouster has not issued any public disclosure about this incident:

  • No press release on ouster.com or investors.ouster.com
  • No SEC 8-K filing under Item 1.05 (cybersecurity incident) — at 574 affected, the incident is almost certainly below SEC materiality thresholds for OUST (FY2025 revenue $130M+)
  • No California AG breach notice filed at oag.ca.gov as of 2026-05-15 (California SB-446, effective January 1, 2026, requires AG notice within 15 days — filing may be imminent, or the CA-resident count may be below the 500-resident threshold)
  • No coverage in HIPAA Journal, DataBreaches.net, TechCrunch, or SF Business Times
  • No ransomware leak-site listing observed

This is the silence story: a publicly-traded NYSE company filed a HIPAA breach 15 days ago and has issued no public notice, no SEC filing, and no entity-issued statement.

What was potentially exposed

Specific PHI categories are not publicly disclosed. For an employer health plan breach, typical exposure includes:

  • Full name
  • Plan member ID, dependent enrollment data
  • Health insurance information
  • Possibly Social Security number, date of birth, address

Read your specific notification letter if you receive one for the confirmed data elements.

What to do

  1. If you are a current or former Ouster employee (or a dependent enrolled in the company health plan), contact your HR team to ask whether you have been notified and what credit monitoring (if any) is being offered.
  2. Watch for a notification letter — California breach law requires notice without unreasonable delay.
  3. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  4. Stop the ongoing flow of your group-health-plan data. HealthConsent files HIPAA restriction requests covering self-funded employer health plan administration pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.