OpenLoopHealth, a U.S. healthcare service provider, is reportedly grappling with a significant data breach as a result of an attempted exfiltration of approximately 1.6 million records following a hack by a criminal threat actor.
These comprise both protected health information (PHI) and personally identifiable information (PII). The data has not yet been confirmed by either OpenLoopHealth or any U.S. government agency.
Breach claim targets U.S. digital health provider
A malicious actor known as stuckin2019 claims to have hacked OpenLoopHealth and stolen a large volume of patient-level data. OpenLoopHealth is an infrastructure and enablement provider, offering a platform for providing Virtual Care across all of the clinics within the U.S.
Since OpenLoopHealth functions as an infrastructure and enablement provider as opposed to being a standalone clinic, any confirmed data breach will have downstream ramifications for multiple healthcare providers and their patients.
Therefore, LOOH’s business model likely increases the overall risk of exposure by allowing compromised data to spread across multiple facilities and organizations, rather than remaining confined to a single entity.
The sale of the data suggests that a financially motivated cybercriminal carried out the attack, rather than a hacktivist group or a state-sponsored actor. Threat actors frequently use sample datasets to boost their credibility and legitimize the data, products, or services they offer on underground markets, a tactic also employed by ransomware groups like RansomHouse, which recently leaked data from Italian textile giant Fulgar on the dark web.
Allegedly exposed patient and medical data
The threat actor claims attackers compromised the data, which includes both patient information and medical records. To support this claim, the actor cited two separate example datasets, each referencing a different type of data and available for separate viewing.
The first data set appears to have as its contents: the full name, email addresses, telephone numbers, residential addresses, and the date of birth.
In addition, this particular data set also states that it may include personal body metrics such as height and weight, extensive medical history, biometric identifiers, and other various yet unknown forms of protected healthcare information.
The second data set appears to contain a similar overlap of identity data. That is, the names, physical addresses, email addresses, and telephone numbers are similar in these two sets. This dataset identifies identical IP addresses, details about prescribed medications, FedEx package-tracking information, and numerous other types of metadata linked to individuals.
If a threat actor employed both the logistics and prescription information in this manner, then it is likely they might implement a method for committing large-scale and sophisticated forms of fraud. This mirrors the severe fraud risk seen in other major breaches, such as the recent dark web sale of Salvation Army donor data that exposed millions globally. They could commit crimes like unlawfully using medical identities to create fraudulent claims, as well as other types of social engineering based upon the information contained in these data sets.
Because healthcare data lasts for years, contains deep personal details, and offers significant potential for abuse, cybercriminals treat it as one of the most valuable commodities on the black market. Unlike passwords or credit cards, victims cannot replace medical information once attackers compromise it.
Verification status and response by the organization
While OpenLoopHealth has not issued any official breach announcement, no regulatory agency has confirmed receiving related disclosures either. That said, the presence of an unaltered data file significantly increases the urgency for the company to act.
OpenLoopHealth is now under pressure to investigate the claim quickly and release clear, honest findings. If investigators confirm that patient records or biometric data were involved, the incident would likely fall under U.S. federal and state health data protection laws.
Patients affected by the breach may face delayed risks, as cybercriminals can sell or misuse their stolen healthcare information months or even years after acquiring it.
The rise of cyber threats to digital health and telehealth infrastructure
As the health care sector becomes increasingly reliant on centralized services to support things such as virtual appointments, scheduling, and prescription filling, these providers have quickly emerged as prime targets for cyber criminals looking to breach these networks.
This trend is not confined to healthcare, as seen in recent incidents like the leak of Sorbonne University’s data to the dark web, proving that any organization housing sensitive information is a high-value target.
This case highlights the significantly growing need to implement stronger security measures throughout the digital healthcare delivery Infrastructure. Consequently, as technology continues to develop, there will be an increased risk of an attack on the digital healthcare infrastructure. Therefore, continuous monitoring tools and Rapid Disclosure Policies are going to play an important role in the mitigation of these risks.
