When an employee voluntarily shares their personal data with their employer, it is expected that this information will be kept secure and not shared with third parties or made publicly available online unless consent or a recognised legal basis is provided. Unfortunately, Ro, a telehealth company, was forced to notify its employees of a data breach involving personal information after a security contractor “inadvertently” uploaded a spreadsheet of employee data to the internet.
In a data breach notice obtained by TechCrunch from an affected employee who received the news this week, Ro said it discovered that the contractor uploaded the spreadsheet containing the employee’s personal information to an unspecified malware detection platform on July 6.
The spreadsheet comprised “personal information related to your employment,” the breach notice read, including employee names, addresses, and bank account numbers. No indication was given as to other information compromised, if any. “Ro immediately worked with the malware detection platform to have the spreadsheet deleted, and at this time, there is no evidence to suggest that there has been any attempt to misuse any of the information,” the breach notification read.
Ro added that the spreadsheet was “accessible to the platform’s paid business subscribers” for five days before it was removed.
When reached, Ro spokesperson Meg Pianta declined to name the malware detection platform. “We believe in transparency and sent a notification out of an abundance of caution,” said Pianta. The spokesperson would not say what assurances it received from the malware detection platform that there was no other access to the spreadsheet.
Meghan Pianta Senior Director of Communications at Ro assured that the incident exposed no customers’ or patients’ data.
Ro was launched as Roman in October 2017 by Zachariah Reitano, Saman Rahmanian, and Rob Schutz. It has both a telemedicine practice and a pharmacy to distribute medications for hair loss, cold sores, and genital herpes treatments. In September 2018, the company renamed itself Ro and began marketing smoking cessation products, under the brand name Zero. In March 2019, Ro launched women’s health products aimed at menopause, such as hot flashes and vaginal dryness, under the brand name Rory. In November 2021, Ro began selling at-home COVID tests, called On/Go, with 10 pharmacy distribution centres in the US.