A workforce member, a physical therapist, accessed the electronic health record system and obtained 2,000 patients names, addresses and telephone numbers for the purpose of contacting or soliciting these patients to join a new physical therapy practice. The covered entity (CE), Sloane Stecker Physical Therapy, PC, provided hack notification to HHS, affected individuals, and the media and posted second-stringer note on its website. The also CE provided free citation monitoring for the affected individuals. Following the hack, the CE retrieved the patient info and retrained staff. as a resultant of OCRs investigation and technical assistance, the ce is expected to execute an enterprise-wide risk analysis and establish a risk management plan. It is also expected to implement mechanisms to record and examine activity in information systems that contain or use electronic PHI. Additionally, the ce is expected to implement a security incident policy and procedure, implement procedures for identity verification for access to electronic PHI, and supply training to all staff on the newly implemented policies and procedures. Location of hacked information: Electronic Medical register business associate present: No