Ro says it ‘inadvertently’ exposed employees’ personal information

Healthcare unicorn Ro is notifying employees of a data exposure involving their personal information after a security contractor “inadvertently” uploaded a spreadsheet of employee data to the internet.

In a data breach notice obtained by TechCrunch from an affected employee who received the notice this week, Ro said it discovered that the contractor uploaded the spreadsheet containing employee’s personal information to an unspecified malware detection platform on July 6.

The spreadsheet contained “personal information related to your employment,” the breach notice read, including employee names, addresses and bank account numbers. It’s not clear what other information, if any, was contained in the spreadsheet.

“Ro immediately worked with the malware detection platform to have the spreadsheet deleted, and at this time, there is no evidence to suggest that there has been any attempt to misuse any of the information,” the breach notification read.

Ro added that the spreadsheet was “accessible to the platform’s paid business subscribers” for five days before it was removed.

When reached, Ro spokesperson Meg Pianta declined to name the malware detection platform. “We believe in transparency and sent a notification out of an abundance of caution,” said Pianta. The spokesperson would not say what assurances it received from the malware detection platform that there was no other access to the spreadsheet.

Pianta said no customers or patients’ data was exposed by the incident.

It’s not uncommon for companies to rely on services, like VirusTotal, an online malware scanner that lets users simultaneously check suspicious files against dozens of antivirus engines at once. VirusTotal also allows other paying customers access to files uploaded by others to its database for security research but warns users to “not submit any personal information.”

Over the last year, Ro has gone through a ripple of changes, largely on the personnel front. In June, the company cut 18% of staff to “manage expenses, increase the efficiency of our organization and better map our resources to our current strategy,” leadership wrote in an email obtained by TechCrunch and confirmed by multiple sources.

Weeks before, Modern Fertility’s co-founder Afton Vechery, who sold her company to Ro in May 2021, left the company. And weeks later, Ro’s co-founder and chief growth officer Rob Schutz stepped back from his current role and took an advisory position. This all came after the company raised money from existing investors at a $7 billion valuation. It was an uptick from Ro’s prior valuation, around $5 billion, but the actual capital raised itself was less than its preceding round.

Ro’s biggest challenge since inception has been expanding beyond its core business: erectile dysfunction. The company said that, alongside its acquisition and pharmacy growth, it launched Ro Mind for mental health and Ro Derm for skincare. In a statement in response to TechCrunch’s October investigation into Ro’s culture and business, CEO Zachariah Reitano said that Derm is on pace to do over $20 million in revenue in 2021. He also said that non-Roman revenue is growing faster than Roman, reportedly 150% year over year.

Still, it’s unclear if Ro’s recent departures are related to tensions first surfaced by current and former employees in October 2021, when the cohort spoke to TechCrunch about churn due to frantic strategy set by executives. Some detailed a culture of prioritizing growth above all else, including the actual efficacy of its products. The company has since addressed some of those critiques, and said in an internal memo that its  “mantra for the remainder of the year (and potentially beyond) will be growth with discipline.”

As the recent data exposure shows, though, that growth is continuing to come with volatility — particularly for its staff.

Ro says it ‘inadvertently’ exposed employees’ personal information by Zack Whittaker originally published on TechCrunch