Truepill, a digital health startup that provides pharmacy fulfillment services for healthcare organizations, has confirmed that hackers accessed the personal data of more than 2.3 million patients.
In a data breach notice published on its website, the company says Postmeds, the parent company behind TruePill, experienced a “cybersecurity incident” that allowed unnamed attackers to gain access to files used for pharmacy management and fulfillment services between August 30 and September 1.
Get in touch
Do you have more information about the Truepill data breach? You can contact Carly Page securely on Signal at +441536 853968 or by email. You can also contact TechCrunch via SecureDrop.
The company’s investigation found that the accessed files contained sensitive customer information, including patient names, unspecified demographic information, medication type and the name of the patient’s prescribing physician. Truepill said Social Security numbers were not involved, as the company does not receive this information.
According to a required legal filing submitted to the U.S. Department of Health and Human Services’ data breach reporting portal, Truepill confirmed that 2.3 million patients were affected. The company’s website states that it has served more than three million patients and delivered 20 million prescriptions since its establishment in 2016.
Truepill stated that it was enhancing its security protocols and implementing additional cybersecurity training for employees. However, the company did not disclose the specifics of how its systems were compromised or the exact measures implemented to prevent future breaches, and a spokesperson did not respond to TechCrunch’s questions.
The data breach, which was first disclosed to affected individuals on October 30, has resulted in a class action lawsuit. The lawsuit alleges that the cybersecurity incident occurred due to Postmeds’ failure to implement adequate data security measures to protect customer information. Specifically, the complaint accuses the company of not encrypting sensitive healthcare information stored on its servers.
Last week, Truepill reached a settlement with the U.S. Drug Enforcement Administration over allegations that the pharmacy illegally dispensed thousands of prescriptions for controlled substances.
In a press release on November 6, the DEA stated, “With this settlement, Truepill has accepted responsibility for operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances in excess of the 90-day limit and filling prescriptions written by medical providers who did not have the required licenses, all in violation of federal law.”