FTC Affiliate Disclosure: This article may contain affiliate links. If you enroll through these links, a commission may be earned at no additional cost to you. This compensation does not influence the accuracy or integrity of the information presented.
In January 2026, a threat actor breached the systems of OpenLoop Health — a Des Moines, Iowa-based telehealth infrastructure company that provides licensed physicians, prescription processing, and clinical operations for dozens of consumer-facing telehealth platforms. The attacker claimed to have accessed records from approximately 1.6 million patients, including names, contact information, dates of birth, and medical information.
OpenLoop confirmed the breach and notified the Texas Attorney General in March 2026, identifying at least 68,160 affected individuals in Texas alone. Multiple class-action lawsuits have since been filed.
If you enrolled in any telehealth program that uses OpenLoop for clinical services — whether for weight loss, men's health, hormone therapy, or other categories — your patient data may have been affected. This article explains what happened, what it means for patients whose data was exposed, and what you can do.
Why a Single Breach Affects Patients Across Dozens of Platforms
Most consumers interact with telehealth through a consumer-facing brand — the website where they completed an intake form, the company name on their billing statement, the platform that sent their medication. What many consumers do not realize is that the clinical infrastructure behind that brand is often provided by a separate company.
OpenLoop Health is one of the largest telehealth infrastructure providers in the United States. It supplies the licensed clinicians, medical evaluation systems, and prescription processing that enable consumer-facing platforms to operate without building their own clinical operations. A STAT News analysis found that OpenLoop was one of four nationwide medical groups affiliated with more than 30 percent of the telehealth companies that received FDA warning letters in early 2026.
This shared infrastructure model means that a security breach at the infrastructure level affects patients across every platform that uses that infrastructure — even if those platforms have different names, different websites, and different customer service teams. Patients who enrolled through Platform A and patients who enrolled through Platform B may both have their records stored in the same backend system.
OpenLoop's infrastructure spans multiple telehealth categories. It provides clinical services for platforms offering GLP-1 weight loss programs, men's health treatments including compounded ED medications, hormone therapy, and other prescription categories. The breach therefore potentially affects patients across all of these categories, not just weight loss.
What Was Exposed
Based on the disclosures filed with state attorneys general and the class-action complaints, the breached data potentially includes patient names, email addresses, phone numbers, dates of birth, mailing addresses, medical history submitted through intake forms, prescription information, and treatment records.
For telehealth patients, this patient data exposure is particularly sensitive because telehealth intake forms typically collect detailed medical history information that patients may not share even with family members. Conditions like erectile dysfunction, weight management concerns, hormone imbalances, and mental health issues carry social stigma that makes unauthorized disclosure of patient data and treatment records especially harmful.
What HIPAA Requires — and What It Does Not
The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards for protecting patient health information. Under HIPAA's Breach Notification Rule, covered entities that experience a data breach affecting 500 or more individuals must notify affected patients, the Department of Health and Human Services, and in some cases, local media.
What HIPAA does not do is prevent breaches from happening. HIPAA requires reasonable safeguards — encryption, access controls, workforce training, risk assessments — but compliance with HIPAA does not guarantee that a breach will not occur. It establishes a floor for security practices, not a guarantee.
For patients affected by the OpenLoop breach, HIPAA provides a framework for notification and a basis for potential enforcement action by HHS. It also provides context for the class-action lawsuits, which allege that OpenLoop's security practices fell below the standard of care for protecting patient health information.
What Patients Should Do Now
If you have enrolled in any telehealth program and are uncertain whether your clinical services were provided through OpenLoop, you can take several concrete steps.
Check your enrollment communications. Review the terms of service, privacy policy, and any disclosures you received when you signed up. Look for mentions of OpenLoop Health, OpenLoop, or references to a separate medical group providing clinical services. Some platforms explicitly name their clinical infrastructure partners; others reference them only in fine print.
Contact the telehealth platform directly. Ask whether your clinical evaluation and prescription were processed through OpenLoop Health. The platform should be able to tell you which medical group handled your care.
Monitor your accounts and credit. If your personal information was exposed, consider placing a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion) or a credit freeze if you want more protection. Monitor your health insurance Explanation of Benefits (EOB) statements for unfamiliar claims — medical identity theft can result in fraudulent claims filed using your health information.
Review breach notification correspondence. If you receive a notification letter from OpenLoop or a telehealth platform regarding the breach, read it carefully. These notifications typically include information about free credit monitoring services and the specific data categories that were exposed.
How to Evaluate Data Privacy Before Enrolling in Any Telehealth Platform
For consumers evaluating new telehealth platforms in 2026, data privacy should be part of the enrollment decision — not an afterthought.
Before providing medical history information to any telehealth platform, ask the following questions. Who is the covered entity under HIPAA for your health information — the consumer-facing platform, the medical group, or both? Where is your health data stored, and does the platform use third-party infrastructure providers for clinical operations? What is the platform's breach notification policy, and does it exceed the minimum HIPAA requirements? Does the platform use encryption for data at rest and in transit?
Platforms that answer these questions transparently provide more confidence than those that bury data handling details in dense legal language. A platform's willingness to discuss its data practices openly is itself an indicator of operational maturity.
For a complete framework covering all aspects of telehealth platform evaluation — including regulatory compliance, prescriber verification, pharmacy licensing, and billing terms — see our consumer due diligence checklist.
Multiple MEDVi product lines — including both the GLP-1 weight loss program and the QUAD compounded ED treatment — operate through clinical infrastructure that includes OpenLoop-affiliated providers. For a comprehensive analysis of MEDVi's business model, regulatory status, and the full context of its growth story, see our detailed MEDVi report. For consumers specifically interested in how compounded ED telehealth platforms operate and what verification steps apply, see our compounded ED telehealth analysis.
If you believe your data may have been exposed in the OpenLoop breach or any other telehealth data incident, consult with a privacy attorney or your state's attorney general office for guidance on your specific rights and options.
This report was compiled from state attorney general filings, class-action complaints, HIPAA regulatory guidance, STAT News reporting, and verified company disclosures. HealthDataConsortium.org is committed to data-driven health reporting and does not provide medical, legal, or cybersecurity advice. Consult qualified professionals for guidance on your specific situation.
HealthDataConsortium.org Editorial Team | Published April 2026
