OpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients

One breach at a single infrastructure vendor in January 2026 potentially exposed patient data held by multiple digital health companies at once, none of which were directly attacked.

That is the core risk that the OpenLoop Health breach makes visible. OpenLoop is not a direct-to-patient company. It is a white-label telehealth infrastructure vendor, providing licensing support, credentialing, practice management, and provider staffing to digital health clients that build consumer-facing products on top of OpenLoop's backend. When an unauthorized party removed data from OpenLoop's systems on or around January 7, 2026, the exposure did not stay contained to one covered entity. It spread across OpenLoop's client base.

OpenLoop disclosed the breach to the California Attorney General. This is a breach disclosure, not an OCR enforcement action. No fine has been announced.

What OpenLoop Health Does and Why It Matters Here

OpenLoop Health operates as a business associate to the digital health and telehealth companies it serves. Under HIPAA, a business associate is any vendor or subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. Because OpenLoop handles clinical operations infrastructure, including provider credentialing and practice management, it routinely processes PHI on behalf of its clients.

45 CFR §164.502(e) requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI, typically through a signed Business Associate Agreement. 45 CFR §164.308(b) extends this requirement to the administrative safeguards framework, requiring covered entities to ensure that business associates implement reasonable and appropriate protections.

The breach at OpenLoop is a direct test of whether those assurances held.

What Is Known About the Breach

Based on available reporting, an unauthorized party accessed OpenLoop Health's systems and removed data. The breach was reported to the California Attorney General, which is the standard disclosure pathway when affected individuals include California residents covered by state breach notification law.

Key facts, based on available information at the time of this writing:

• The breach occurred on or around January 7, 2026.
• An unauthorized party removed data from OpenLoop's systems.
• The breach affected individuals across OpenLoop's digital health client base, not just a single covered entity.
• OpenLoop reported the incident to the California Attorney General.
• The incident has been included in reporting on significant healthcare data breaches reported to OCR in 2026.

The specific number of individuals affected has not been independently confirmed in detail available to this publication. Where figures are reported in subsequent public filings, readers should treat them as reported figures pending verification.

The Business Associate Liability Chain

HIPAA's business associate framework was built precisely for situations like this. Under 45 CFR §164.504(e), the BAA must include provisions requiring the business associate to report breaches to the covered entity, implement appropriate safeguards, and ensure that any subcontractors it uses are also bound by equivalent obligations.

When OpenLoop was breached, several compliance questions immediately arise for every covered entity and digital health company in its client base:

Is a signed BAA in place? This is the threshold question. Without a signed BAA, a covered entity using OpenLoop's infrastructure has a compliance gap that predates the breach and compounds the legal exposure.

Were your patients' data involved? Not every client's data may have been in the systems that were accessed. Covered entities need to work directly with OpenLoop to determine the scope of exposure for their specific patient population.

What are your notification obligations? Under 45 CFR §164.400 through 45 CFR §164.414, covered entities have independent breach notification obligations. If OpenLoop's breach involved the PHI of your patients, you may have obligations to notify affected individuals, HHS, and potentially media outlets depending on the number affected, regardless of whether OpenLoop has already made its own notifications.

Does your BAA assign notification responsibility clearly? Many BAAs are ambiguous about who sends notification to individuals when the breach originates at the BA level. That ambiguity becomes a serious operational problem the moment a breach occurs.

The Telehealth Vendor Supply Chain Problem

OpenLoop Health is one of a growing category of companies that power the operational backend of digital health. These vendors sit below the consumer-facing layer, handling the credentialing, licensing, clinical infrastructure, and provider networks that make telehealth products work. They are essential and, for compliance purposes, they are almost always business associates.

The compliance challenge is that digital health companies often treat these vendors the way they treat cloud hosting providers: as infrastructure that is assumed to be secure rather than as PHI handlers that require active vendor risk management. That assumption is exactly what this breach should disrupt.

Under 45 CFR §164.308(a)(1), covered entities must conduct an accurate and thorough risk analysis. That analysis must account for PHI held or processed by business associates. A vendor like OpenLoop, which handles PHI on behalf of many clients simultaneously, represents a concentrated risk. If its security controls fail, the impact multiplies across every client.

The HIPAA Security Rule does not require perfection. It requires reasonable and appropriate safeguards calibrated to the risk. But it also requires covered entities to assess those risks honestly, and a shared infrastructure vendor that processes clinical operations data for dozens of digital health companies is a significant risk concentration that belongs in any honest risk analysis.

What Covered Entities and Digital Health Companies Should Do Now

If your organization uses OpenLoop Health or a similar telehealth infrastructure vendor, the following steps apply immediately regardless of whether you have confirmed involvement in this specific breach.

Locate and review your BAA. Confirm it is signed, current, and includes breach notification obligations that are specific about timelines and responsibilities. Under 45 CFR §164.314(a), business associate contracts must require the BA to report security incidents, including breaches, to the covered entity.

Contact OpenLoop directly. Ask whether your patient data was involved, what data types were accessed or removed, and what remediation steps OpenLoop has taken.

Review your breach response plan. If patient data was involved, your 60-day notification clock under 45 CFR §164.412 may already be running from the date you were notified or had reason to know of the breach.

Audit your full vendor inventory. This breach is a prompt to identify every vendor in your stack that handles PHI and confirm that BAAs are in place and that your risk analysis reflects the actual risk profile of each vendor.

Document your response. HIPAA enforcement often turns on documentation. Record when you learned of the breach, what steps you took, what you determined about scope, and what notifications you made or determined were not required and why.

Why This Breach Pattern Will Repeat

OpenLoop Health is not an outlier. The digital health ecosystem has built itself on a layer of shared infrastructure vendors, many of which handle PHI at scale across many clients simultaneously. That architecture creates efficiency and also creates single points of failure that affect not one covered entity but many.

HIPAA's business associate framework was designed to address exactly this structure. The regulations impose direct liability on business associates under 45 CFR §164.308, 45 CFR §164.310, and 45 CFR §164.312 for implementing administrative, physical, and technical safeguards. Business associates can be investigated and sanctioned by OCR directly, not only through their covered entity clients.

But regulatory liability after the fact does not undo the harm to patients or the operational disruption to covered entities scrambling to determine their notification obligations. The better investment is in vendor risk management before a breach, not response after one.