Overlake Obstetricians & Gynecologists

Overlake Obstetricians & Gynecologists, operating also as Overlake OB/GYN, is a medical practice based in the United States that provides specialized healthcare services focused on obstetrics and gynecology. The entity's core function is the delivery of medical care related to female reproductive health, pregnancy, and childbirth, serving patients within its local community. While the specific scale of its operations, such as the number of providers, clinics, or annual patient volume, is not detailed in available information, its identity as a provider in this medical specialty is clear from its name and the context of the documented security incident. The practice operates within the highly regulated healthcare sector, handling sensitive patient information protected under laws such as the Health Insurance Portability and Accountability Act (HIPAA). Its work involves the routine creation, storage, and transmission of personal health information, including medical histories, treatment records, and personally identifiable details like Social Security numbers, which are standard for patient intake and billing processes in U.S. medical settings.

The organization is notably linked to a significant cybersecurity incident that occurred on November 29, 2020. On that date, Overlake Obstetricians & Gynecologists was targeted by the Pysa threat actor group, a ransomware gang known for attacking healthcare entities. The attackers deployed Mespinoza malware to infiltrate the practice's systems, resulting in both the encryption of data for ransom and the exfiltration of sensitive files. The breach compromised the personal and medical information of over 8,900 individuals, exposing data that included Social Security numbers and detailed health histories. A distinguishing and critical attribute of this incident, as reported, is the entity's failure to publicly disclose the breach or notify the affected patients despite clear evidence that their data had been stolen and was at risk. This non-disclosure followed a pattern observed by Pysa, where victims who did not engage in negotiations or cooperate had their stolen data published on dark web leak sites to apply pressure. The incident underscores a specific operational and response challenge within the practice's history, highlighting a confrontation with cyber extortion and a subsequent lapse in breach notification protocols that are standard expectations for healthcare providers under U.S. law. No information is available regarding the practice's ownership structure, such as whether it is a sole proprietorship, partnership, part of a larger medical group, or affiliated with a hospital system.