OpenLoop Health hit with proposed class action after alleged 1.6 million‑record hack

OpenLoop Health, a digital‑health infrastructure firm that powers telehealth services, is facing at least one putative class action after an alleged cyberintrusion that the complaint says may have exposed information tied to roughly 1.6 million patients. The lawsuit, filed in U.S. District Court for the Southern District of Iowa, says a group calling itself stuckin2019 claimed on Jan. 7, 2026, to have hacked the company and gained access to a cache of “highly sensitive and private information.”

Attorneys for plaintiff Kathy Morehart of Texas allege Morehart and others “relied on OpenLoop to keep their private health information confidential.” The complaint asserts the breach “resulted from a combination of insufficiencies that indicate [the company] failed to comply with safeguards mandated by Health Information Portability and Accountability Act (HIPAA) regulations and industry standards,” and that OpenLoop “had long been ‘on notice that companies in the healthcare industry are susceptible targets for data breaches,’ given highly publicized cyberattacks in the industry and FBI warnings that date back to 2014.”

The suit also contends OpenLoop did not notify affected patients. It cites a study saying confirmed identity‑theft cases from health care breaches have cost individuals an average of $20,000 and notes that “while credit card information can sell for as little as $1 to $2 on the black market, protected health information can sell for as much as $363, according to the lawsuit.” The complaint warns that “plaintiff and class members are at an increased risk of fraud and identity theft, including medical identity theft, for many years into the future,” and that they “have no choice but to vigilantly monitor their accounts for many years to come.”

ModernHealthcare reported that two separate people filed suit in Iowa alleging the company failed to protect sensitive patient information; the filings available to date identify Morehart as a named class plaintiff. The precise scope of the data elements allegedly accessed and the formal class definition were not included in reports summarizing the complaint. No federal agency determination or independent forensic confirmation of the alleged intrusion has been disclosed in the filings summarized by the complaint.

OpenLoop has yet to respond to the lawsuit in the public record cited by the complaint. The complaint does not attach a company statement confirming or denying the incident, nor does it include a court docket number in the public summaries summarized here. Because the allegations rest on claims by the attacker and the complaint, independent verification by cybersecurity investigators or federal authorities would be required to confirm the extent and nature of any exposure.

Separately, OpenLoop is a defendant in a different mid‑February class action involving compounded oral tirzepatide and a white‑label telehealth platform. That case, brought by plaintiff Darby Day, alleges he paid $279.99 for a one‑month supply ordered through a platform that appears to work with OpenLoop. Defendants in that matter have argued that “This case attempts to turn dissatisfaction with a prescription weight‑loss treatment into a federal RICO action and a multi‑state consumer fraud case,” and that “The Complaint rests on a single, erroneous premise: that compounded oral tirzepatide requires FDA approval, and without FDA approval, pharmacies are prohibited from lawfully compounding or dispensing it.” Plaintiff counsel in that lawsuit said, “My god, the game’s just began.”

The breach allegations raise questions about HIPAA compliance, vendor oversight and the readiness of telehealth platforms to secure sensitive health data at scale. If the claim that more than 1.6 million records are involved is borne out, the financial and administrative burdens the complaint cites, including long‑term identity‑monitoring costs and medical identity theft risk, could affect thousands of patients and complicate public trust in rapidly expanding virtual care networks. Federal reporting obligations, potential investigations by HHS’ Office for Civil Rights and law enforcement, and detailed forensic analysis will be central to assessing harm and guiding policy responses.