Cybersecurity attack against Amazon-owned online pharmacy PillPack exposed user health data

Amazon-owned PillPack reported a cybersecurity attack affecting the accounts of nearly 20,000 customers.

An unauthorized person used customer emails and passwords to log into PillPack customer accounts, over 3,000 of which contained prescription information. Social Security numbers and payment information were not involved in the attack, according to the online pharmacy.

PillPack’s internal investigation confirmed that the emails and passwords in question were not taken from its website. While PillPack is a subsidiary of Amazon, the company stated that only PillPack’s website was impacted.

“The limited information that was revealed is not enough to steal someone’s identity,” a company spokesperson told Fierce Healthcare. “This event was limited to PillPack, and we both notified the impacted customers directly and posted the notification to our website. We encouraged customers to contact PillPack via phone or email with any questions.”

The spokesperson said that it believed the customer login credentials were taken from other websites. Customer passwords were reset and multifactor authentication was enabled after suspicious activity was confirmed, the company said.

No unusual activity within the accounts in question was detected, and PillPack stated that there is no current evidence of the information being used in any way. “The limited information that was revealed is not enough to steal someone’s identity,” the spokesperson said.

The New Hampshire-based organization’s internal investigation found that the breach took place between April 2 and April 6, although suspicious login attempts were detected on April 3.

For the users whose prescription information was accessed, information related to their PillPack prescriptions along with the contact information for their prescribing provider was found.

PillPack was initially acquired by Amazon in 2018, marking the online retailer’s move into healthcare. Amazon Pharmacy was rolled out in 2020. In January of this year, the online retailer rolled out a $5 monthly prescription plan for U.S. Prime members that covers a slew of generic drugs and at-home delivery.

Cybersecurity attacks have occurred with increased frequency in recent years with hospital ransomware attacks receiving the majority of media attention. Last year, the CommonSpirit attack compromised the protected health information of 600,000 patients in 13 different states.

Last year, PillPack paid $5.79 million in recompense for fraudulently overbilling for insulin, according to a document filed with the Department of Justice.