OB/GYN Medical Center Associates Texas Data Breach: 2,132 Patients Affected

On July 23, 2025, OB/GYN Medical Center Associates in Texas reported a significant data breach to the U.S. Department of Health and Human Services, affecting 2,132 patients. The incident involved unauthorized access to sensitive patient information through a third-party voicemail service provider, highlighting the ongoing cybersecurity challenges facing healthcare organizations.

What Happened

The breach originated from a hacking/IT incident targeting ConnectOnCall.com, LLC, a third-party vendor that provided voicemail messaging services to OB/GYN Medical Center Associates through May 2024. Despite the service relationship ending over a year ago, patient data remained vulnerable on the vendor's systems.

According to the breach notification, cybercriminals gained unauthorized access to the network server hosting the ConnectOnCall system. The healthcare provider discovered that patient messages left through this voicemail system may have been accessed by unauthorized individuals.

OB/GYN Medical Center Associates has been conducting a thorough review of messages left for the practice via the ConnectOnCall system to determine the full scope of the data exposure. The investigation confirmed that protected health information (PHI) was potentially compromised.

Who Is Affected

The breach impacts 2,132 patients who utilized OB/GYN Medical Center Associates' services and left messages through the ConnectOnCall voicemail system. This includes current and former patients who may have disclosed sensitive health information through voicemail messages.

Given the nature of OB/GYN services, the affected patients likely include women seeking reproductive health services, prenatal care, gynecological treatments, and obstetric services. The sensitive nature of these medical services makes this breach particularly concerning for patient privacy.

Breach Details

Entity: OB/GYN Medical Center Associates
Location: Texas
Entity Type: Healthcare Provider
Individuals Affected: 2,132
Breach Type: Hacking/IT Incident
Location of Breach: Network Server
Date Reported: July 23, 2025
Business Associate Involved: ConnectOnCall.com, LLC (third-party vendor)

The types of protected health information potentially accessed varied depending on what patients disclosed in their voicemail messages. According to the breach notice, compromised data may have included:

• Patient names
• Information about physical conditions
• Medication details
• Additional health information disclosed in voicemail messages

This incident represents a clear violation of HIPAA's Privacy Rule (45 CFR §164.502), which requires covered entities to protect PHI from unauthorized disclosure. The breach also raises questions about compliance with HIPAA's Security Rule (45 CFR §164.306), particularly regarding administrative, physical, and technical safeguards for electronic PHI.

What This Means for Patients

For the 2,132 affected patients, this breach poses several potential risks:

Identity Theft Risk: While the breach notice doesn't specify financial information exposure, health information combined with names can be used for identity theft schemes.

Medical Privacy Violations: Sensitive reproductive and gynecological health information may have been exposed, potentially leading to discrimination or personal embarrassment.

Targeted Scams: Cybercriminals may use the disclosed health information to craft convincing phishing emails or phone scams targeting affected patients.

Insurance Fraud: Health information can be used to file fraudulent insurance claims or obtain prescription medications illegally.

Under HIPAA's Breach Notification Rule (45 CFR §164.404), OB/GYN Medical Center Associates was required to notify affected individuals within 60 days of discovering the breach, which they appear to have done promptly.

How to Protect Yourself

If you're among the affected patients, take these immediate steps:

Monitor Your Accounts: Regularly review all medical bills, insurance statements, and credit reports for suspicious activity.

Be Alert to Scams: Be cautious of unsolicited calls, emails, or texts claiming to be from healthcare providers or insurance companies.

Verify Communications: Always verify the identity of anyone requesting health information by calling your healthcare provider directly.

Review Insurance Benefits: Monitor your health insurance explanation of benefits (EOB) statements for services you didn't receive.

Consider Credit Monitoring: While not specifically offered in this case, consider enrolling in credit monitoring services to detect potential identity theft.

Report Suspicious Activity: Contact your healthcare provider, insurance company, and local authorities if you notice any suspicious activity related to your health information.

Prevention Lessons for Healthcare Providers

This breach offers several important lessons for healthcare organizations:

Vendor Management: Healthcare providers must maintain strict oversight of business associates and third-party vendors, even after service relationships end. HIPAA's Business Associate Rule (45 CFR §164.502) requires covered entities to ensure their business associates adequately protect PHI.

Data Retention Policies: Organizations should implement clear policies for data deletion when vendor relationships terminate.

Regular Security Assessments: Conducting periodic security assessments of all systems containing PHI can help identify vulnerabilities before they're exploited.

Employee Training: Staff should be trained on proper procedures for sharing patient information with third-party vendors and recognizing potential security threats.

Incident Response Planning: Having a comprehensive incident response plan ensures quick action when breaches occur, potentially minimizing damage and ensuring HIPAA compliance.

The OB/GYN Medical Center Associates breach serves as a reminder that healthcare cybersecurity extends beyond an organization's direct control to include all vendors and partners handling patient data. As healthcare continues to digitize, robust security measures and vendor oversight become increasingly critical for protecting patient privacy.

Healthcare providers must remain vigilant about third-party risks and ensure all business associates maintain appropriate security standards throughout and after their service relationships. Patients, meanwhile, should stay informed about data breaches affecting their healthcare providers and take proactive steps to protect their personal information.

Learn how HIPAA Agent can help protect your practice.