OB-GYN Associates Data Breach 2025 (INC Ransom): 62,238 Reno Patients Exposed. Reproductive Health Records, SSNs, Bank Account Numbers. What To Do
OB-GYN Associates, Ltd. (Reno, Nevada) disclosed an August 2025 INC Ransom ransomware attack that exposed names, Social Security numbers, driver's license numbers, bank account and routing numbers, and reproductive-health medical information for 62,238 patients, including minors. Filed with HHS OCR on October 6, 2025. 12 months credit monitoring offered via TransUnion. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 7, 2025
Suspicious activity detected on OB-GYN Associates' network; unauthorized access identified the same day
Aug 7, 2025
Incident contained; outside forensic specialists engaged
Aug 27, 2025
INC Ransom posts OB-GYN Associates to its dark-web leak site
Aug 30, 2025
INC Ransom publicly claims the attack with leak-site ransom note
Sep 10, 2025
New Hampshire Attorney General breach notice filed
Sep 11, 2025
Substitute notice published
Sep 29, 2025
Forensic data review concludes; PHI involvement confirmed
Oct 6, 2025
Filed with HHS OCR (62,238 affected)
Oct 29, 2025
Individual notification letters mailed to affected patients
Aug 7, 2025
Suspicious activity detected on OB-GYN Associates' network; unauthorized access identified the same day
Aug 7, 2025
Incident contained; outside forensic specialists engaged
Aug 27, 2025
INC Ransom posts OB-GYN Associates to its dark-web leak site
Aug 30, 2025
INC Ransom publicly claims the attack with leak-site ransom note
Sep 10, 2025
New Hampshire Attorney General breach notice filed
Sep 11, 2025
Substitute notice published
Sep 29, 2025
Forensic data review concludes; PHI involvement confirmed
Oct 6, 2025
Filed with HHS OCR (62,238 affected)
Oct 29, 2025
Individual notification letters mailed to affected patients
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
OB-GYN Associates, Ltd. (operating as OBGYN Associates) is a women’s-health clinic in Reno, Nevada providing obstetric and gynecologic care, including prenatal services, gynecologic surgery, and reproductive-health care.
On August 7, 2025, the practice detected suspicious activity on its network and determined the same day that an unauthorized third party had accessed its systems. Outside forensic specialists were engaged, the intrusion was contained, and affected systems were wiped and rebuilt.
On August 27, 2025, the INC Ransom ransomware-as-a-service group posted OB-GYN Associates as a victim on its dark-web leak site, and on August 30, 2025, the group publicly claimed the attack with a ransom note stating: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” OB-GYN Associates has not publicly confirmed whether a ransom was demanded or paid.
The forensic review concluded on September 29, 2025 that protected health information had been acquired. OB-GYN Associates filed with the New Hampshire Attorney General on September 10, 2025, published a substitute notice on September 11, 2025, filed with the HHS Office for Civil Rights on October 6, 2025 (confirming 62,238 affected individuals), and began mailing individual notification letters in late October 2025.
A California Attorney General notice referenced in press coverage confirms that some of the affected data belonged to minors, indicating pediatric records of patients seen for adolescent or prenatal care.
Timeline
- August 7, 2025 — Suspicious network activity detected; unauthorized access identified and contained
- August 27, 2025 — INC Ransom posts OB-GYN Associates on its leak site
- August 30, 2025 — INC Ransom publicly claims responsibility
- September 10, 2025 — New Hampshire AG filing
- September 11, 2025 — Substitute notice published
- September 29, 2025 — Forensic data review concludes
- October 6, 2025 — Filed with HHS OCR (62,238 affected)
- October 29, 2025 — Individual notification letters begin going out
What was exposed
State filings and entity notices disclose the following data elements for affected individuals:
- Full name (first and last)
- Social Security number
- Driver’s license number
- Bank account and routing numbers
- Medical information — including the obstetric and gynecologic care records the practice maintains
- Pediatric records for minor patients (confirmed via California AG notice)
The combination of SSN, driver’s license, and bank routing detail is a complete identity-theft and account-takeover kit. The medical content is what makes this filing categorically different from a generic SSN breach.
Why this is uniquely sensitive: reproductive health, minors, and state shield laws
OB-GYN Associates is a reproductive-health provider. The medical information in the stolen dataset is, by the nature of the practice, obstetric and gynecologic records: pregnancy history, prenatal visits, miscarriage and pregnancy-loss documentation, contraception, fertility treatment, sexually transmitted infection history, gynecologic surgery, and related diagnoses. A subset of records belongs to minors.
This category of data carries elevated risk in the current legal environment:
- Cross-state legal exposure. Reproductive-health records exfiltrated from a Nevada clinic can land on dark-web mirrors that are accessible from any state, including states criminalizing certain reproductive care. Nevada itself has a 2023 reproductive-health shield law (AB 161) that restricts in-state cooperation with out-of-state investigations targeting lawful Nevada care, but that statute cannot reach data already in the hands of a foreign ransomware group.
- HIPAA Reproductive Health Privacy Rule (2024). The 2024 amendments require covered entities to refuse certain reproductive-care disclosures and to obtain attestations before producing PHI for investigative purposes. Those protections govern provider disclosures and do not apply once data is in criminal hands.
- Stigma-targeted phishing and extortion. Threat actors with named obstetric and gynecologic diagnoses, pregnancy-loss records, or fertility-treatment details can craft highly targeted extortion outreach.
- Pediatric exposure. Minors’ SSNs are particularly valuable on identity-fraud markets — credit files for children are typically unmonitored for years.
What OB-GYN Associates is offering
- 12 months of complimentary single-bureau credit monitoring, credit reporting, and credit-score services via TransUnion
- Enrollment deadline: 90 days from receipt of the individual notification letter
- The practice states it has reviewed and updated data-security policies, upgraded network protections, and changed how data is stored
The offering is below the multi-year, three-bureau monitoring that several plaintiffs’ firms (and many state AGs) consider the appropriate standard for incidents involving SSN exposure of minors.
Class-action status
As of mid-2026, no class action has yet been filed. Multiple plaintiffs’ firms are publicly investigating, including:
- Pittman, Dutton, Hellums, Bradley & Mann (PDHBM)
- Strauss Borrelli PLLC
- Migliaccio & Rathod LLP
- Finkelstein, Blankinship, Frei-Pearson & Garber, LLP (FBFG)
- ClassAction.org’s coordinated investigation network (publicly closed without a filing as of November 18, 2025)
Affected individuals are still within most state statute-of-limitations windows for consumer-protection and negligence claims.
What to do
- Enroll in the TransUnion credit-monitoring offered within 90 days of receiving your notification letter — but do not stop there.
- Place free credit freezes at all three bureaus (Equifax, Experian, TransUnion). A freeze is more protective than monitoring.
- If a child of yours is a patient, request a manual credit-file check for the minor at each bureau and freeze any file that exists. Minors typically should not have a credit file at all.
- File IRS Form 14039 (Identity Theft Affidavit) to prevent fraudulent tax filings using your SSN — especially relevant given driver’s license + SSN exposure.
- Cancel and reissue any bank accounts whose routing and account numbers were in your OB-GYN Associates billing records.
- Be alert to highly targeted extortion or phishing that references obstetric history, pregnancy, or fertility treatment — that level of detail is in the stolen dataset.
- Restrict downstream sharing of your reproductive-health record. HealthConsent files HIPAA Section 164.522 restriction requests so the obstetric and gynecologic data exposed in this breach is not continuously re-shared by labs, billing vendors, payers, or HIEs.
Sources
- HIPAA Journal — OB-GYN Associates and Beverly Hills Oncology breach coverage
- Comparitech — Kids’ medical info, SSNs compromised in data breach at OBGYN in Reno, NV
- KOLO 8 News (Reno) — OBGYN Associates warns of data breach
- Paubox — OB-GYN Associates announces data breach linked to INC Ransom group
- ClassAction.org — OB-GYN Associates Data Breach (Sept 2025)
- New Hampshire Attorney General — Breach Notice (Sept 10, 2025)
- HHS Office for Civil Rights Breach Portal
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: OB-GYN Associates Data Breach Coverage
- Comparitech: Kids' medical info, SSNs compromised in Reno OBGYN breach
- KOLO 8 News (Reno): OBGYN Associates warns of data breach
- Paubox: OB-GYN Associates announces data breach linked to INC ransom group
- ClassAction.org: OB-GYN Associates Data Breach Affects SSNs
- New Hampshire AG: OB-GYN Associates Breach Notice (Sept 10, 2025)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.