The OpenLoop Health Breach: Aggregator inconsistent data security triggers exposure of 716,000 Patients and 120+ Brands
The quick take: The OpenLoop Health breach isn't just another data leak. It's a massive failure in multi-tenant security. A single intrusion into a shared provider exposed 716,000 patients across 120 downstream healthcare companies.
One attack. One unauthorized session lasting less than 24 hours. Names, addresses, dates of birth, and medical records for 716,000 patients were exposed. A threat actor took this data from a company most patients had never heard of.
HHS confirmed the incident in May 2026. It occurred on January 7-8. OpenLoop provides the white-label clinical and operational infrastructure for telehealth brands like Remedy Meds and Fridays.
One breach. One shared layer. 120 separate companies affected.
What Happened: A Single Aggregation Point for 120 Downstream Brands
OpenLoop's business model is designed to be invisible. Healthcare companies use their platform to build virtual care programs. Patients interact with brands like JoinFridays, unaware that a shared backend aggregates their clinical data.
That model creates significant operational efficiency. It also creates a significant data security problem.
OpenLoop aggregates PHI from over 120 organizations. This data must be classified by sensitivity and mapped to specific clients. It requires strict access controls to isolate tenant data. Breach notification filings suggest the data was not segmented at the storage or access layers. It was aggregated, so the attacker took everything.
The specific attack vector is not public. Forensic timelines show access on January 7 and exfiltration by January 8. The attacker moved quickly. There was no lateral movement required because the data was accessible and easy to take.
Why This Keeps Happening: Third-Party Data Aggregators as Invisible Risk
Healthcare organizations spend significant resources securing their own systems. HIPAA compliance programs, annual risk assessments, penetration tests, vendor reviews. But those programs typically examine the primary vendor relationship, not the full stack.
HHS reports that healthcare breaches exposed 167 million records in 2024. Third-party breaches account for a disproportionate share of these incidents. The Change Healthcare breach is the primary example of how one clearinghouse can impact nearly every U.S. insurer.
OpenLoop is a smaller version with the same structural problem. When a third party aggregates sensitive data at scale, they become a high-value, single-point target. And because the data belongs to the third party's clients, not the third party itself, the classification and governance posture of that data often reflects neither the originating client's standards nor a sufficient security investment by the aggregator.
Gartner calls this "shadow PHI." This is protected health information outside the governance perimeter of the responsible organization. It is stored by intermediaries without continuous, consistent data classification controls.
The patients of Remedy Meds, MEDVi, and Fridays did not know OpenLoop existed. Their data did not show up in OpenLoop's public-facing privacy disclosures. And yet it was there, aggregated, accessible, and ultimately exfiltrated.
What Would Have Changed the Outcome
- Identify Inventory Gaps: Continuous discovery would have surfaced the concentration of multi-tenant PHI in shared stores. This identifies which datasets belong to which clients and confirms if they are appropriately segmented.
- Flag Co-mingled PHI: Sentra's classification layer flags co-mingled regulated records. This is a critical posture signal that warrants immediate remediation rather than being buried in a report.
- Analyze Identity and Access: Continuous analysis shows which service accounts and API keys have read access. Least privilege enforcement would have significantly reduced the blast radius of compromised credentials.
- Map Data Lineage: Lineage mapping provides real-time answers about compromise impact. Security teams need to know exactly how many records are reachable on demand.
- Consistent Data Labeling: Universal classification tagging, across disparate sensitive data stores, applied automatically enables effective remediation actions to ensure data privacy.
These controls detect and address exposure risk before a breach. While they may not stop every initial access vector, they materially reduce the blast radius with proactive risk management. Visible governance turns a massive incident into a contained event.
What to Do Now
If your organization relies on third-party platforms that aggregate or process sensitive data on your behalf, four things are worth doing this week:
1. Map your data supply chain. Identify every third-party or SaaS vendor that receives, processes, or stores PHI, PII, or regulated data on your behalf. This includes infrastructure providers, not just application vendors.
2. Ask your BAA partners about their data classification posture. A Business Associate Agreement establishes legal accountability. It does not guarantee that your patients' data is classified, segmented, and access-controlled inside the partner's environment. Ask specifically: can they show you where your data lives, who can access it, and how it is isolated from other clients' data?
3. Audit your own aggregation points. Most organizations have internal equivalents of the OpenLoop problem; data lakes, data warehouses, or shared analytics environments where sensitive data from multiple business units or customer segments has been aggregated without consistent classification or access segmentation. Run an inventory.
4. Review your incident response scope. The OpenLoop breach required notifications in Texas, California, Rhode Island, and other states. If a third party was breached and your customers' data was in scope, your incident response obligations may be triggered even without direct access to your own systems. Know your notification posture.
Longer term, consider Data Security Posture Management (DSPM), which is the discipline of continuously discovering, classifying, and governing sensitive data across a distributed data estate — exactly the kind of visibility that a multi-tenant health infrastructure provider needs to avoid what happened here.
Sentra maps sensitive data exposures across your entire environment. This includes all third-party integrations. Start with a data estate inventory. Request a demo.
An unauthorized party accessed systems on January 7, 2026. They exfiltrated files containing PHI over one day. OpenLoop is a white-label provider for 120+ healthcare companies. This impacted patients across multiple brands.
OpenLoop's breach notifications confirm that names, addresses, email addresses, dates of birth, and medical information were exposed for up to 716,000 individuals. The threat actor "stuckin2019" claims the dataset includes 1.6 million records and additional fields including phone numbers, IP addresses, and prescription information.
A multi-tenant PHI breach is a data breach in which a shared infrastructure provider's compromise exposes sensitive health records belonging to patients of multiple healthcare organizations. Because data from many covered entities is aggregated in a single environment, a single intrusion produces a disproportionately large exposure. The Change Healthcare and OpenLoop breaches are both examples of this pattern.
Data Security Posture Management applied to multi-tenant health infrastructure continuously discovers and classifies PHI across shared data stores, maps access paths to individual service accounts and API keys, and flags data co-mingling across client tenants as a posture risk. The goal is to surface the exposure before a breach, not reconstruct it after.
Healthcare organizations using white-label telehealth platforms should confirm their vendor's data classification and segmentation posture, audit their own BAA agreements for data security requirements, map their third-party data supply chain, and verify that incident response plans cover third-party breach scenarios.
Yes. OpenLoop operates as a Business Associate under HIPAA, processing PHI on behalf of covered entities. The HHS Office for Civil Rights breach portal listing confirms this incident is within HIPAA jurisdiction. Affected covered entities may also have independent notification obligations depending on state breach notification laws.
Yair brings a wealth of experience in cybersecurity and data product management. In his previous role, Yair led product management at Microsoft and Datadog. With a background as a member of the IDF's Unit 8200 for five years, he possesses over 18 years of expertise in enterprise software, security, data, and cloud computing. Yair has held senior product management positions at Datadog, Digital Asset, and Microsoft Azure Protection.
