a self-storage readiness in Hollis, New York auctioned off the contents of a unit rented by the covered entity (CE) that contained medical records of 8,636 individuals. Ultimately, many of the records were left unattended in a home Depot parking set in Jamaica, New York. The protected health information (PHI) involved in the cut included names, dates of birth, addresses, social surety numbers, diagnoses, conditions, lab results, and other handling information. Following the hack, the ce provided hack notification to HHS, affected individuals, and the media, and provided credit and identity theft services to individuals at no cost. The CE also ended its praxis of storing patient files outside of the office and implemented policies and procedures that prohibit business associates from having access to PHI before a business associate agreement is in place. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the New York Attorney General and the CE agreed to enter into an authority of discontinuance that requires the ce to take additional corrective actions. Location of hacked information: Other, Paper/Films Business relate present: no