Pharmacy provider Truepill data breach hits 2.3 million customers

Postmeds, doing business as ‘Truepill,’ is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information.

Truepill is a B2B-focused pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer (D2C) brands, digital health companies, and other healthcare organizations across all 50 states in the U.S.

Regarding the number of impacted individuals, According to the U.S. Department of Health and Human Services Office for Civil Rights breach portal the incident incident impacts 2,364,359 people.

The letter informs that the company discovered unauthorized network access on August 31, 2023. The investigation of the incident revealed that the attackers had gained access a day before.

The data types that might have been accessed by the threat actors include:

  • Full name
  • Medication type
  • Demographic information
  • Name of prescribing physician

The above information increases the risks of phishing and social engineering attacks. The notice clarifies that Social Security numbers (SSNs) were not in the exposed data set.

Some of the people receiving the data breach notices were somewhat puzzled, claiming they had never heard of the company and were unsure how their data got to Truepill.

Postmeds under legal fire

The far-reaching impact of the incident may lead to legal consequences as multiple class action lawsuits are being prepared across the country, arguing that the breach would have been prevented if Postmeds maintained a better security stance compatible with the industry guidelines.

Specifically, Postmeds is blamed for not encrypting sensitive healthcare information stored on its servers, which would significantly lessen the impact of a data breach.

The delay in notifying consumers may also be part of the possible lawsuits, as the firm took more than two months to inform affected persons.

During that time, some of the impacted people observed suspicious activity on their Venmo accounts, and confirmed later that their personal data had been posted on the dark web.

The content of the notices is also criticized for being too vague, not providing details about how the intruders gained access to the firm’s systems, and lacking any protection guidance for the recipients and identity theft protection service coverage.

One of the law firms leading a litigation motion against Postmed reports that the leaked data also includes addresses, dates of birth, medical treatment information, diagnosis information, and health insurance information, which aren’t mentioned in the firm’s notice.

Related Articles:

Hacker gets 10 years in prison for extorting US healthcare provider

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Leaked info of 122 million linked to B2B data aggregator breach

US indicts Snowflake hackers who extorted $2.5 million from 3 victims

Cisco says DevHub site leak won’t enable future breaches