Important Update from Ro

I have an important update I want to share.

Ro recently learned about an incident that affected the confidentiality of a limited number of Ro patient profiles (less than 0.25% of all accounts). This incident occurred because a laptop used by a physician on our platform was compromised. The laptop was issued by a large health institution to the physician to treat patients at the institution’s health center. The physician, at some point thereafter, downloaded unsecure software onto the laptop. The physician also used this laptop to treat patients on Ro’s platform. As a result, the confidentiality of these patient profiles was compromised. We don’t believe the physician acted maliciously or was aware of the compromise.

As soon as we found out, the Ro team immediately shut down the physician’s account and hired external cybersecurity experts to help us with an investigation. We have notified each patient affected by the incident and offered them identity protection services free of charge. We have also notified the relevant government agencies.

I want to take this opportunity to talk about an issue that we — the healthcare community, the tech industry, and the patients and consumers of both — are facing.

On one hand, our systems were not breached. Our databases weren’t compromised. No financial information, credit card numbers, or passwords of patients were accessed. Because it was the laptop that was compromised and not Ro’s system, a third party was able to access only what that physician was able to access — a very limited part of the Ro system that amounted to less than 0.25% of all accounts.

Ro notified the health institution of the compromised computer so they could take possession of the device and stop it from being used. Besides Ro, we don’t know what other services were used on this compromised laptop. While far from a win, I’m glad our team was able to work quickly and help take the steps to get it offline.

But, on the other hand, what’s most important today is that a third party was able to access patient data that they shouldn’t have been able to access. And we understand that none of the details above make it easier for the patients who were affected.

I’m a patient on Ro. My co-founders are patients on Ro. Employees of Ro are patients on Ro. Some of us were included in the patient profiles affected by this incident. We don’t have to imagine what it’s like to receive a notification; we know. This affected us too and it matters to us on a deeply personal level.

The challenge Ro and others face is that, in addition to securing our own systems, we need to account for systems outside of our direct control. Ro has taken and will take a number of steps to implement additional security measures to help further protect personal information, including enhancing the security on our physicians’ computers. (You can read more about what happened and the steps we’ve taken here.)

I’m writing this because I want patients to know how important this is to us. I am available to any patient on Ro, anytime. If you have any questions or concerns please email me at zachariah@ro.co.

Sincerely,

Zachariah Reitano