Digital pharmacy startup Truepill confirms hackers accessed health data for 2.3M users

Postmeds, doing business as Truepill, confirmed that hackers accessed the personal data of more than 2.3 million patients.

Postmeds, a pharmacy company that fulfills mail-order prescriptions, said in a data breach notice on its website it experienced a cybersecurity incident in late August, and a "bad actor" gained access to a subset of files used for pharmacy management and fulfillment services.

The company said it immediately launched an investigation with assistance from cybersecurity professionals and worked quickly to secure its IT environment.

"Our investigation determined that the bad actor accessed the files between August 30, 2023 and September 1, 2023," the company said.

The files that were breached contained patient names, medication type and, in some instances, demographic information and/or prescribing physician name. The company said Social Security numbers were not involved.

"We are committed to providing outstanding pharmacy services and protecting the information in our care. To help prevent something like this from happening again, we are enhancing our security protocols and technical safeguards, and we are increasing awareness of cybersecurity threats through additional employee training," the company said in the notice.

According to the U.S. Department of Health and Human Services' Office for Civil Rights breach portal, the incident impacted 2.36 million patients.

Truepill, a digital health startup that provides pharmacy fulfillment services for healthcare organizations, began mailing letters to individuals who were impacted by the incident Oct. 30.

Some impacted patients already have filed class-action lawsuits, with one lawsuit filed in the U.S. District Court for the Northern District of California. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime, the HIPAA Journal reported.

Truepill’s website says the company has served more than 3 million patients and delivered 20 million prescriptions since it was founded in 2016.

"Truepill hasn't disclosed how the breach happened, so it's difficult to give advice on how to avoid the same mistakes in the future. The info leaked in this breach could be used by criminals for health benefits fraud, as well as targeted phishing and scams. Victims should keep an eye on their medical bills for suspicious charges. Never click on links or attachments in unsolicited emails and messages," said Paul Bischoff, consumer privacy advocate at Comparitech.

A Comparitech analysis found that, since 2009, medical organizations in the U.S. have suffered 5,478 data breaches, affecting nearly 423 million medical records.

Truepill also recently settled with the U.S. Drug Enforcement Administration (DEA) over allegations that it unlawfully dispensed thousands of prescriptions for stimulant medications such as Adderall used in the treatment of attention-deficit/hyperactivity disorder.

"With this settlement, Truepill has accepted responsibility for operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances in excess of the 90-day limit, and filling prescriptions written by medical providers who did not have the required licenses, all in violation of federal law.  As a consequence, Truepill has agreed to revise its policies and procedures, train its pharmacists on implementing new controls and identifying improper prescriptions, and submit to heightened compliance measures for a period of four years," the DEA said in a press release.

In December 2022, the DEA announced that it served the startup with an order to show cause, which is an administrative action to determine whether a DEA certificate of registration should be revoked. 

The Truepill data breach comes on the heels of a major hacking incident at genetic testing company 23andMe in October.

Genetics testing company 23andMe Tuesday sent emails to several customers to inform them of a breach into the "DNA Relatives" feature that allowed them to compare ancestry information with users worldwide.

In early October, a hacker advertised millions of "pieces of data" stolen from 23andMe, according to posts made to an online forum where digital thieves often advertise leaked data, Reuters reported. The company had said it was working with federal law enforcement and forensic experts to investigate it.

Later in the month, a hacker with the moniker "Golem" published a new data set purportedly containing the records of 4 million users of 23andMe. TechCrunch reported that some of the newly published dates align with publicly available 23andMe data on user information and genetic details.

From January through June, there have been 308 healthcare data breaches reported to the federal government, representing a 15% sequential decline from the back half of 2022’s 363, according to a Critical Insight report.

However, the number of individuals affected by these breaches has jumped from the 31 million of the second half of 2022 to a new record of 40 million, representing an average of 131,000 impacted individuals per breach.

“The latest security incident affecting Truepill further proves that healthcare is the industry most impacted by data breaches. New ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of its patients and members—across the entire supply chain," said Steve Gwizdala, vice president of healthcare at Ping Identity, a digital identity management company. 

Organizations need to implement multifactor authentication, passwordless authentication and zero-trust architecture to improve security while mitigating risk and reducing opportunities for malicious actors to capture patient medical records, Gwizdala said.