Postmeds’ digital pharmacy Truepill has confirmed a data breach incident that leaked the customer information of over 2.3 million patients.
Based in Hayward, California, Truepill offers API-based order fulfillment services to healthcare organizations, having delivered over 20 million prescriptions since its inception in 2016.
According to its statement, the online pharmacy hired cybersecurity experts to investigate and secure its systems after detecting a “cybersecurity incident.” The probe confirmed unauthorized access “to a subset of files used for pharmacy management and fulfillment services” between August 30 and September 1, 2023.
Truepill notified impacted individuals on October 30, submitted the data breach to the U.S. Department of Health and Human Services Office for Civil Rights, and implemented additional security and operational measures.
However, a class-action lawsuit challenges Postmeds’ security practices and response to the incident.
Truepill data breach exposed sensitive personal information
Truepill’s investigation found that the data breach exposed patients’ names, medication types, and, in some cases, demographic information and/or prescribing physicians’ names. However, the attackers did not access Social Security Numbers, as the online pharmacy does not collect that information.
Potter Handy LLP, a law firm in Postmeds’ class action, claims the data breach also exposed the victims’ dates of birth, email addresses, diagnosis information, medical treatments, and health insurance information. This information could enable threat actors to create compelling and targeted phishing messages.
“Medical information is some of the most sensitive information a customer could possibly have exposed,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “Affected users should keep an eye out for fraudulent charges on their accounts and be alert for phishing schemes that could include emails, texts, and phone calls from bad actors looking to score additional personal and financial information.”
Meanwhile, the digital pharmacy said it has implemented additional data security measures, embarked on enhanced employee cybersecurity training, and reviewed its security protocols to prevent a similar incident in the future.
“We are enhancing our security protocols and technical safeguards in response to this incident, and we are increasing awareness of cybersecurity threats through additional employee training,” Truepill said.
However, the company neglected to disclose how the threat actors breached its systems. According to the Identity Theft Resource Center, 47%, or 347 of 733 data breaches reported in Q3 2023, failed to disclose the attack vector.
“Truepill hasn’t disclosed how the breach happened, so it’s difficult to give advice on how to avoid the same mistakes in the future,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “Our analysis found that, since 2009, medical organizations in the US have suffered 5,478 data breaches, affecting nearly 423 million medical records. Medical records are protected by HIPAA, one of the most stringent privacy laws in the USA.”
More legal troubles for Postmeds’ Truepill digital pharmacy
The Postmeds data breach is the subject of a class action lawsuit stemming from the company’s alleged failure to protect sensitive personal data stored by its digital pharmacy Truepill.
Describing the data breach as “foreseeable and preventable,” the class action claims that the digital pharmacy stored data in an unencrypted, dangerous, and vulnerable condition.
Similarly, the two-month delay in notifying the victims was allegedly untimely and insufficient for victims to prevent misuse of their information. Subsequently, some allegedly reported suspicious activity on their Venmo accounts and discovered their data on the dark web.
The class members also cited Truepill’s failure to disclose how the threat actors breached its systems and what demographic information the attacker accessed.
“Organizations that handle sensitive health information require robust, proactive cybersecurity measures,” said James McQuiggan, Security Awareness Advocate at KnowBe4. “It emphasizes the need for continuous vigilance, regular security audits, and comprehensive employee training to mitigate risks and cyber threats.”
“For senior management, the C-Suite, and boards of directors, it’s a call to prioritize cybersecurity not just as a compliance necessity but as a crucial part of the organizational security culture and operational strategy,” added McQuiggan.
The digital pharmacy was also the subject of a U.S. Drug Enforcement Administration’s legal action for allegedly illegally dispensing controlled substances.
Truepill settled the case by accepting responsibility for operating an unregistered digital pharmacy and dispensing controlled substances beyond 90 days, including from unlicensed doctors. The digital pharmacy also promised to revise its procedures, implement new prescription controls, and submit to heightened compliance measures for four years.