A Des Moines company is facing a potential class action lawsuit over an alleged cyberattack that may have exposed the health data of 1.6 million people to unauthorized disclosure.OpenLoop Health, a digital-health infrastructure company that partners with various health care organizations in providing telehealth services to patients, is being sued in U.S. District Court for the Southern District of Iowa.Attorneys for the plaintiff, Kathy Morehart of Texas, allege Morehart and others who are part of a potential class of victims numbering in the thousands relied on OpenLoop to keep their private health information confidential.The lawsuit claims that on Jan. 7, 2026, a group of cybercriminals known as “stuckin2019” claimed to have hacked into OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges that stuckin2019 is claiming the information is linked to more than 1.6 million patients in the United States.The lawsuit also alleges OpenLoop has failed to notify patients of the data breach and that the company had long been “on notice that companies in the healthcare industry are susceptible targets for data breaches,” given highly publicized cyberattacks in the industry and FBI warnings that date back to 2014.The lawsuit claims OpenLoop’s data breach “resulted from a combination of insufficiencies that indicate (the company) failed to comply with safeguards mandated by Health Information Portability and Accountability Act (HIPAA) regulations and industry standards.”The lawsuit seeks not only monetary relief for all potential victims of the data breach, but a court injunction that will, in theory, provide protection from any additional data breaches going forward. The lawsuit also seeks an order instructing OpenLoop to pay for lifetime credit monitoring and identity-theft insurance for all class members.One study cited in the lawsuit found that confirmed identity-theft cases stemming from health care data breaches have cost individuals an average of $20,000 — often through out-of-pocket costs associated with their health care coverage.While credit card information can sell for as little as $1 to $2 on the black market, protected health information can sell for as much as $363, according to the lawsuit.“Plaintiff and class members are at an increased risk of fraud and identity theft, including medical identity theft, for many years into the future,” the lawsuit alleges. “(They) have no choice but to vigilantly monitor their accounts for many years to come.”OpenLoop has yet to respond to the lawsuit.Larry Trittschuh, chief information security officer for OpenLoop, said Thursday the company was “subject to a security incident in January 2026. Upon learning of this, we acted quickly to investigate, contain, and remediate the incident. We also reached out to and coordinated with law enforcement. Now that our investigation is complete, we are moving toward providing notice to impacted individuals. At this time, we can confirm that no financial information or Social Security numbers were compromised.”Trittschuh said OpenLoop is “continuing to monitor our systems closely to ensure the ongoing security of patient information. Protecting customer data and the security and integrity of our platform and services are responsibilities that we take seriously.”Two of the attorneys representing the plaintiffs in the case are J. Barton Goplerud and Brian O. Marty of Shindler, Anderson, Goplerud & Weese in West Des Moines. Iowa Capital Dispatch is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on Facebook and Twitter.
A Des Moines company is facing a potential class action lawsuit over an alleged cyberattack that may have exposed the health data of 1.6 million people to unauthorized disclosure.
OpenLoop Health, a digital-health infrastructure company that partners with various health care organizations in providing telehealth services to patients, is being sued in U.S. District Court for the Southern District of Iowa.
Attorneys for the plaintiff, Kathy Morehart of Texas, allege Morehart and others who are part of a potential class of victims numbering in the thousands relied on OpenLoop to keep their private health information confidential.
The lawsuit claims that on Jan. 7, 2026, a group of cybercriminals known as “stuckin2019” claimed to have hacked into OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges that stuckin2019 is claiming the information is linked to more than 1.6 million patients in the United States.
The lawsuit also alleges OpenLoop has failed to notify patients of the data breach and that the company had long been “on notice that companies in the healthcare industry are susceptible targets for data breaches,” given highly publicized cyberattacks in the industry and FBI warnings that date back to 2014.
The lawsuit claims OpenLoop’s data breach “resulted from a combination of insufficiencies that indicate (the company) failed to comply with safeguards mandated by Health Information Portability and Accountability Act (HIPAA) regulations and industry standards.”
The lawsuit seeks not only monetary relief for all potential victims of the data breach, but a court injunction that will, in theory, provide protection from any additional data breaches going forward. The lawsuit also seeks an order instructing OpenLoop to pay for lifetime credit monitoring and identity-theft insurance for all class members.
One study cited in the lawsuit found that confirmed identity-theft cases stemming from health care data breaches have cost individuals an average of $20,000 — often through out-of-pocket costs associated with their health care coverage.
While credit card information can sell for as little as $1 to $2 on the black market, protected health information can sell for as much as $363, according to the lawsuit.
“Plaintiff and class members are at an increased risk of fraud and identity theft, including medical identity theft, for many years into the future,” the lawsuit alleges. “(They) have no choice but to vigilantly monitor their accounts for many years to come.”
OpenLoop has yet to respond to the lawsuit.
Larry Trittschuh, chief information security officer for OpenLoop, said Thursday the company was “subject to a security incident in January 2026. Upon learning of this, we acted quickly to investigate, contain, and remediate the incident. We also reached out to and coordinated with law enforcement. Now that our investigation is complete, we are moving toward providing notice to impacted individuals. At this time, we can confirm that no financial information or Social Security numbers were compromised.”
Trittschuh said OpenLoop is “continuing to monitor our systems closely to ensure the ongoing security of patient information. Protecting customer data and the security and integrity of our platform and services are responsibilities that we take seriously.”
Two of the attorneys representing the plaintiffs in the case are J. Barton Goplerud and Brian O. Marty of Shindler, Anderson, Goplerud & Weese in West Des Moines.
Iowa Capital Dispatch is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on Facebook and Twitter.