OpenLoop telehealth platform faces data breach claimed by lone threat actor

The threat actor claims to have data from over 3 million individuals, including data from OpenLoop and other healthcare providers.

What happened

Recently OpenLoop, an Iowa-based white-label telehealth platform, notified the Texas Attorney General of a data breach. The notification to the Texas Attorney General took place on March 18th, but only included impacted individuals who are also residents of Texas. OpenLoop said 68,160 Texans had been impacted and stated that data did not include electronic health records, Social Security numbers, or financial account information. OpenLoop also notified the California Attorney General, but that report did not include the number impacted.

Going deeper

Currently, OpenLoop has not posted anything on their own website. According to the report to the California Attorney General, the breach took place between January 7th and January 8th, and was discovered on January 7th.

OpenLoop began notifying patients on March 17th, using this notice. The threat actor has claimed to have breached more than just OpenLoop. Specifically, it’s believed that Zealthy, a New York-based primary care and mental health telehealth provider, also experienced a data breach. While Zealthy has not provided any comment on the issue, the threat actor did post some of the data, which included driver’s licenses, alongside personal and protected health information of five patients. He further claims to have 2.1 million patient records, including names, email addresses, phone numbers, addresses, license information, and other protected information. The actor claimed to have attacked other medical entities as well, but did not provide additional details.

In the know

Both breaches have been claimed by an actor who calls himself Stuckin2019. The actor claims to have data from 1.6 million OpenLoop patients. Stuckin2019 posted a sample of the data online, which included patient names, email addresses, postal addresses, heights and weights, medical information, and biometric data. Another sample contained patient contact information and prescription information.

DataBreaches.net contacted Stuckin2019, and the actor claimed he worked alone and was a male. The individual also said he regretted listing the data, as he first wanted to negotiate with OpenLoop. OpenLoop reportedly agreed to pay him to remove the listing, which he claims to have done. “I deleted it, all that remains is the 2 samples that I have posted on my pixeldrain account,” he said.

The big picture

The incidents show how even one lone actor can cause significant harm to individuals and to healthcare practices. While OpenLoop has not admitted to negotiating with Stuckin2019, it’s never advisable to pay ransomware attackers, as it can incentivize them to attack again. Sometimes organizations want to negotiate in order to avoid the legal ramifications from data breach lawsuits. Paubox frequently covers data breach settlements, which can quickly cost organizations millions of dollars. Earlier this month, Essen Medical Associates agreed to a $4 million settlement and Rebound Orthopedics & Neurosurgery agreed to a $2.5 million settlement. If OpenLoop was trying to avoid a lawsuit, it’s not clear if they will be successful. At least one class action suit has been filed from a victim located in Texas.

FAQs

What is a white-label telehealth service?

A white-label telehealth platform provides support and providers under a hospital’s own brand. The concept is designed to make it easier for hospitals to offer telehealth options without having to set up a whole system, hire new providers, and manage everyday functions.

Why hasn’t OpenLoop or Zealthy notified the Department of Health and Human Services (HHS)?

While OpenLoop and Zealthy should notify the HHS of the data breach, they may be delaying the notification as they investigate the incident, strengthen their cybersecurity systems, or determine how they will respond to Stuckin2019.