Telehealth infrastructure provider OpenLoop Health has confirmed that a January 2026 intrusion compromised the personal information of 716,000 individuals. The company detected the unauthorized access on January 7, 2026, reported it to authorities in March, and only recently finalized the scope of affected patients. A threat actor using the handle Stuckin2019 has publicly claimed responsibility and alleges a much larger haul of 1.6 million records.

What Happened

According to OpenLoop's data breach notification letter, an unauthorized third party gained access to certain OpenLoop systems and exfiltrated data between January 7 and January 8, 2026. The intrusion was identified on January 7, prompting the company to engage external cybersecurity specialists to investigate the nature and scope of the event and to confirm that the attacker's access had been terminated. The breach was reported to regulators in March 2026, with affected-individual notifications now rolling out following the completion of the forensic review. OpenLoop has stated it worked with federal law enforcement during the response and has implemented additional defensive measures.

What Was Taken

OpenLoop confirmed that the stolen dataset includes personal information belonging to 716,000 individuals who used its telehealth services. The company emphasized that the attacker did not access electronic health records, Social Security numbers, or financial account information. However, the threat actor Stuckin2019 has publicly contradicted the official scope, claiming responsibility for the intrusion and asserting the theft of data tied to 1.6 million patients, and posting samples as proof. The discrepancy between the company's confirmed 716,000 figure and the attacker's claimed 1.6 million remains unresolved, and the precise categories of personal data exposed have not been fully detailed in public disclosures.

Why It Matters

OpenLoop operates as a backbone provider for telehealth services, meaning a breach at this layer can cascade across multiple downstream clinical brands and patient populations that rely on the firm for virtual care delivery. Even without electronic health record content, telehealth user data typically contains identity, contact, and care-related metadata that can be highly effective in healthcare-themed phishing, insurance fraud, and social engineering against patients. The gap between the company's confirmed victim count and the attacker's stated total is itself a strategic signal: defenders should assume the public claim is plausible until disproven, and downstream partners should plan notifications and risk assessments accordingly. Healthcare and telehealth platforms continue to rank among the highest-value targets for financially motivated intrusion sets in 2026.

The Attack Technique

OpenLoop has not publicly disclosed the initial access vector, the malware family, or the specific tactics used during the 24-hour window in which the intruder operated. The tight intrusion-to-exfiltration timeline, spanning January 7 to January 8, 2026, is consistent with opportunistic, fast-moving data-theft operations rather than long-dwell espionage. The actor Stuckin2019 surfaced the breach on criminal forums with sample data, a pattern typical of extortion-leaning data brokers who pressure victims through public exposure rather than encryption. Without technical indicators released by OpenLoop, defenders should treat the case as an unattributed data-theft intrusion against a healthcare infrastructure provider and monitor for any future indicator publication by the firm or partner CSIRTs.

What Organizations Should Do

  1. Inventory all third-party telehealth and healthcare infrastructure vendors, and request written confirmation from OpenLoop or downstream partners on whether your patient population is in scope.
  2. Heighten monitoring for healthcare-themed phishing, smishing, and voice phishing campaigns targeting patients, especially lures referencing telehealth visits, prescriptions, or identity monitoring enrollment.
  3. Enforce phishing-resistant MFA, restrict service account privileges, and review egress controls on systems that store patient identity data to limit single-burst exfiltration windows.
  4. Validate that data retention, segmentation, and tokenization policies prevent a single compromise from yielding a full identity dataset for hundreds of thousands of patients.
  5. Treat any leak-site or forum posting referencing Stuckin2019 as a priority intelligence requirement, and ingest sample data hashes and selectors into detection pipelines if released.
  6. Review incident response playbooks for healthcare partners, ensuring breach notification timelines, regulator coordination, and patient communications can move faster than the three-month gap seen here.

Sources: OpenLoop Health confirms January 2026 Data breach affecting 716,000