Active breach tracker Reno, Nevada Disclosed October 6, 2025

OB-GYN Associates Data Breach 2025 (INC Ransom): 62,238 Reno Patients Exposed. Reproductive Health Records, SSNs, Bank Account Numbers. What To Do

OB-GYN Associates, Ltd. (Reno, Nevada) disclosed an August 2025 INC Ransom ransomware attack that exposed names, Social Security numbers, driver's license numbers, bank account and routing numbers, and reproductive-health medical information for 62,238 patients, including minors. Filed with HHS OCR on October 6, 2025. 12 months credit monitoring offered via TransUnion. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 7, 2025

Suspicious activity detected on OB-GYN Associates' network; unauthorized access identified the same day

Aug 7, 2025

Incident contained; outside forensic specialists engaged

Aug 27, 2025

INC Ransom posts OB-GYN Associates to its dark-web leak site

Aug 30, 2025

INC Ransom publicly claims the attack with leak-site ransom note

Sep 10, 2025

New Hampshire Attorney General breach notice filed

Sep 11, 2025

Substitute notice published

Sep 29, 2025

Forensic data review concludes; PHI involvement confirmed

Oct 6, 2025

Filed with HHS OCR (62,238 affected)

Oct 29, 2025

Individual notification letters mailed to affected patients

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Bank account and routing numbers Medical information (obstetric and gynecologic care records) Pediatric records (minors confirmed via CA AG notice)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

OB-GYN Associates, Ltd. (operating as OBGYN Associates) is a women’s-health clinic in Reno, Nevada providing obstetric and gynecologic care, including prenatal services, gynecologic surgery, and reproductive-health care.

On August 7, 2025, the practice detected suspicious activity on its network and determined the same day that an unauthorized third party had accessed its systems. Outside forensic specialists were engaged, the intrusion was contained, and affected systems were wiped and rebuilt.

On August 27, 2025, the INC Ransom ransomware-as-a-service group posted OB-GYN Associates as a victim on its dark-web leak site, and on August 30, 2025, the group publicly claimed the attack with a ransom note stating: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” OB-GYN Associates has not publicly confirmed whether a ransom was demanded or paid.

The forensic review concluded on September 29, 2025 that protected health information had been acquired. OB-GYN Associates filed with the New Hampshire Attorney General on September 10, 2025, published a substitute notice on September 11, 2025, filed with the HHS Office for Civil Rights on October 6, 2025 (confirming 62,238 affected individuals), and began mailing individual notification letters in late October 2025.

A California Attorney General notice referenced in press coverage confirms that some of the affected data belonged to minors, indicating pediatric records of patients seen for adolescent or prenatal care.

Timeline

  • August 7, 2025 — Suspicious network activity detected; unauthorized access identified and contained
  • August 27, 2025 — INC Ransom posts OB-GYN Associates on its leak site
  • August 30, 2025 — INC Ransom publicly claims responsibility
  • September 10, 2025 — New Hampshire AG filing
  • September 11, 2025 — Substitute notice published
  • September 29, 2025 — Forensic data review concludes
  • October 6, 2025 — Filed with HHS OCR (62,238 affected)
  • October 29, 2025 — Individual notification letters begin going out

What was exposed

State filings and entity notices disclose the following data elements for affected individuals:

  • Full name (first and last)
  • Social Security number
  • Driver’s license number
  • Bank account and routing numbers
  • Medical information — including the obstetric and gynecologic care records the practice maintains
  • Pediatric records for minor patients (confirmed via California AG notice)

The combination of SSN, driver’s license, and bank routing detail is a complete identity-theft and account-takeover kit. The medical content is what makes this filing categorically different from a generic SSN breach.

Why this is uniquely sensitive: reproductive health, minors, and state shield laws

OB-GYN Associates is a reproductive-health provider. The medical information in the stolen dataset is, by the nature of the practice, obstetric and gynecologic records: pregnancy history, prenatal visits, miscarriage and pregnancy-loss documentation, contraception, fertility treatment, sexually transmitted infection history, gynecologic surgery, and related diagnoses. A subset of records belongs to minors.

This category of data carries elevated risk in the current legal environment:

  • Cross-state legal exposure. Reproductive-health records exfiltrated from a Nevada clinic can land on dark-web mirrors that are accessible from any state, including states criminalizing certain reproductive care. Nevada itself has a 2023 reproductive-health shield law (AB 161) that restricts in-state cooperation with out-of-state investigations targeting lawful Nevada care, but that statute cannot reach data already in the hands of a foreign ransomware group.
  • HIPAA Reproductive Health Privacy Rule (2024). The 2024 amendments require covered entities to refuse certain reproductive-care disclosures and to obtain attestations before producing PHI for investigative purposes. Those protections govern provider disclosures and do not apply once data is in criminal hands.
  • Stigma-targeted phishing and extortion. Threat actors with named obstetric and gynecologic diagnoses, pregnancy-loss records, or fertility-treatment details can craft highly targeted extortion outreach.
  • Pediatric exposure. Minors’ SSNs are particularly valuable on identity-fraud markets — credit files for children are typically unmonitored for years.

What OB-GYN Associates is offering

  • 12 months of complimentary single-bureau credit monitoring, credit reporting, and credit-score services via TransUnion
  • Enrollment deadline: 90 days from receipt of the individual notification letter
  • The practice states it has reviewed and updated data-security policies, upgraded network protections, and changed how data is stored

The offering is below the multi-year, three-bureau monitoring that several plaintiffs’ firms (and many state AGs) consider the appropriate standard for incidents involving SSN exposure of minors.

Class-action status

As of mid-2026, no class action has yet been filed. Multiple plaintiffs’ firms are publicly investigating, including:

  • Pittman, Dutton, Hellums, Bradley & Mann (PDHBM)
  • Strauss Borrelli PLLC
  • Migliaccio & Rathod LLP
  • Finkelstein, Blankinship, Frei-Pearson & Garber, LLP (FBFG)
  • ClassAction.org’s coordinated investigation network (publicly closed without a filing as of November 18, 2025)

Affected individuals are still within most state statute-of-limitations windows for consumer-protection and negligence claims.

What to do

  1. Enroll in the TransUnion credit-monitoring offered within 90 days of receiving your notification letter — but do not stop there.
  2. Place free credit freezes at all three bureaus (Equifax, Experian, TransUnion). A freeze is more protective than monitoring.
  3. If a child of yours is a patient, request a manual credit-file check for the minor at each bureau and freeze any file that exists. Minors typically should not have a credit file at all.
  4. File IRS Form 14039 (Identity Theft Affidavit) to prevent fraudulent tax filings using your SSN — especially relevant given driver’s license + SSN exposure.
  5. Cancel and reissue any bank accounts whose routing and account numbers were in your OB-GYN Associates billing records.
  6. Be alert to highly targeted extortion or phishing that references obstetric history, pregnancy, or fertility treatment — that level of detail is in the stolen dataset.
  7. Restrict downstream sharing of your reproductive-health record. HealthConsent files HIPAA Section 164.522 restriction requests so the obstetric and gynecologic data exposed in this breach is not continuously re-shared by labs, billing vendors, payers, or HIEs.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.