An employee of the covered entity (CE), Truman Medical Center, found a list of patients on the internet. The lean contained names, addresses, and internal identification numbers for 503 of the CE's patients. The ce determined that the lean was posted to a file transfer protocol (FTP) site by the public relations department and was a mailing list used to notify patients that a clinic was moving to a new location. The list was available on the internet from september 2012 until mar 2015. The ce provided cut notification to HHS, affected individuals and the media, and provided deputise note on its website. following the hack, the ce immediately removed and deleted the patient list from FTP site and reviewed the other info posted on the site. The ce improved safeguards by enabling the public relations employees to send encrypted emails and providing instructions on how to utilize secure email. The CE also required additional training for workforce members in the public relations department. OCR obtained written assurances that the ce implemented the corrective actions listed above. Location of hacked information: Other concern associate present: No