Patient safety and privacy is our top priority at Ro, and we take our obligation to protect patient information very seriously. Unfortunately, we recently had to notify a limited number of patients (less than 0.25% of all accounts) about an incident that affected the confidentiality of their information. We have acted swiftly to investigate the incident and protect their data. If your information was affected by this incident, you have already received an email with more information and will also receive a letter by U.S. mail.
Although Ro’s systems were not breached and our databases weren’t compromised, this does not in any way diminish the seriousness of this incident.
Consistent with our commitment to transparency, we are sharing what we have learned and the steps we are taking to further protect patient information. We are committed to earning patient trust and building this company for them.
To read a message from our Co-founder and CEO Zachariah Reitano, click here.
What happened?
Ro recently learned that an unauthorized third party had obtained certain personal and health information through a compromised computer used by one of our affiliated physicians. This computer had been issued to the physician by a large health institution (the physician’s primary employer) to treat patients at its health center. The physician also used this computer to treat patients on Ro’s telemedicine platform. Unbeknownst to us and in violation of our policies, the physician had downloaded unsecure software onto this computer. Our investigation also revealed that this computer had been infected with malware.
Our team, with the help of an expert cybersecurity firm, diligently worked to determine the root cause and nature of the incident. Our investigation found that the combination of the malware and the unsecure software on the computer made certain patient information from within the physician’s account accessible to an unauthorized third party.
When we learned that the incident stemmed from the physician’s computer, we shut down the physician’s account, removed their access to any Ro systems, and notified the health institution of the compromised device. The health institution is now in possession of the compromised computer, and it is no longer being used to treat patients on Ro’s platform. Installing unapproved software violates our Physician Code of Conduct, and we have ended our affiliation with the physician permanently. We don’t believe the physician acted maliciously or was aware of the compromise.
How many people were affected?
The affected group represents a subset of patients treated in New York, North Carolina, and South Carolina. In total, less than 0.25% of all Ro accounts were affected.
Who have you notified?
We have notified all affected patients by email and U.S. mail. We have also notified the health institution that issued the compromised device and informed the proper government authorities.
Was Ro’s database or infrastructure breached?
The security of Ro’s database and infrastructure was not breached as part of this incident. However, any time the confidentiality of patient data is compromised, regardless of the circumstances, it needs to be addressed urgently and taken incredibly seriously.
How long did the incident last?
The incident occurred between approximately August 21, 2019 and September 5, 2019. When we learned of the root cause, we promptly shut down the physician’s account and engaged security experts to help investigate the incident.
What is Ro doing to resolve the issue?
Throughout this incident, Ro worked tirelessly to protect patient information from being accessed by anyone else. We do not have reason to believe that patient information is at risk of further unauthorized access as a result of this incident.
What data was affected?
The data affected included the information that was accessible within the physician’s account: name, address, date of birth, prescription information, health survey information, photo, and an image of the identification card of the physician’s patients.
Was any financial information compromised?
No financial information or credit card numbers were accessed or compromised in connection with this incident.
What steps is Ro taking because of this incident?
Working with security experts, we have taken — and will continue to take — a number of steps to implement additional security measures to help further protect patient information, including enhancing the security on affiliated physicians’ computers.
Were any other services compromised as a result of this infected laptop?
We do not know what other services were used by this physician or affected by this laptop.
Who is the physician and what is the health institution?
We intend to maintain the privacy of the physician and the health institution.
How do I know if my information has been affected?
If your information was affected by this incident, you have already received an email with more information and will also receive a letter by U.S. mail. Affected individuals represent a subset of patients treated in New York, North Carolina, and South Carolina — less than 0.25% of all Ro accounts.
If you did not receive an email or letter from Ro, it means that your personal information was not affected by this incident.
Will affected patients see any change to Ro’s products and services?
If you are currently receiving products or services from Ro, those will not be interrupted in any way. Patients can review their account history and medical record anytime at https://my.ro.co. For affected patients, a physician licensed in your state will be available for you to continue your medical care.
What is Ro doing for affected patients?
We have offered identity protection services free of charge for one year to every patient affected. We have a dedicated call center to answer questions, toll-free, at 1–877–514–0845. It is open Monday through Friday from 9 a.m. to 6:30 p.m. ET. Patients can also reach out any time to questions@ro.co.
