OpenLoop Health Data Breach Affects 68,160 Texans

OpenLoop Health Inc., a digital health infrastructure and telehealth company based in Iowa, disclosed a data breach to the Texas Attorney General on March 18, 2026. The breach affected 68,160 Texas residents, according to the state filing.

The exposed information included both personally identifiable information (PII) and protected health information (PHI). The company notified affected consumers by U.S. mail and through broadcasts on Texas-wide media.

How the OpenLoop Health data breach unfolded

On Jan. 8, 2026, a threat actor using the name "stuckin2019" posted on an open web forum claiming to have leaked data from OpenLoop Health. The actor claimed the compromised data contained 1.6 million patient records, including full names, email addresses, phone numbers, physical addresses, dates of birth and IP addresses.

More than two months later, on March 18, 2026, OpenLoop Health reported the breach to the Texas Attorney General. The company listed the types of consumer information exposed as names, addresses, dates of birth, medical information and additional unspecified data.

The company notified affected individuals through U.S. mail and broadcasts on Texas-wide media, according to the state filing. No additional details about the company's response, such as credit monitoring offers or a dedicated call center, were included in the available disclosure.

Steps affected individuals can take to protect their information

Because this breach involved medical information along with personal details like names, addresses and dates of birth, affected individuals should consider taking several steps to reduce the risk of harm.

Monitor Explanation of Benefits statements. Anyone who received care through an OpenLoop Health-supported telehealth service should carefully review Explanation of Benefits (EOB) statements from their health insurance provider. These documents show what services were billed under a patient's name.

Watch for signs of identity theft. Since names, addresses and dates of birth were exposed, affected individuals face an increased risk of identity theft. They should monitor their credit reports for any unfamiliar accounts or inquiries. Free credit reports are available at AnnualCreditReport.com from the three major credit bureaus: Equifax, Experian and TransUnion.

Consider placing a fraud alert. A fraud alert tells creditors to take extra steps to verify a person's identity before opening new accounts. Individuals can place a free fraud alert by contacting any one of the three major credit bureaus. The bureau that receives the request is required to notify the other two.

Consider a credit freeze. A credit freeze prevents new accounts from being opened in a person's name. It is free to place and lift. Individuals can contact each of the three credit bureaus directly to set up a freeze.

Be cautious of phishing attempts. After a data breach, scammers sometimes send emails, texts or letters that reference the breach by name to trick people into sharing more personal information. Anyone who receives a message claiming to be from OpenLoop Health or a related organization should verify it independently before responding or clicking any links.

Monitor for suspicious communications. Because the threat actor claimed to have obtained email addresses, phone numbers and IP addresses in addition to the information listed in the Texas filing, affected individuals should be alert to unexpected emails, phone calls or text messages. These could be attempts to use the stolen data for phishing or fraud.