Postmeds Data Breach Exposes Sensitive Health Information of Millions of Patients

Over 2 million individuals in the United States will be notified that their personal and sensitive health data was compromised in a cyberattack on Postmeds, the parent company of online pharmacy startup Truepill.

For many affected individuals, this serves as their first introduction to Postmeds and the revelation that their sensitive personal and health information was lost in the data breach.

The news of the data breach also came as a surprise to healthcare startups that had previously utilized Postmeds for their customers’ prescriptions.

Postmeds, also known as Truepill, is an online pharmacy fulfillment startup that supplies prescriptions for prominent telehealth services and other pharmacies, distributing medications to their customers. Postmeds, through Truepill, has provided prescriptions for clients of Folx, Hims, and GoodRx, among other popular online telehealth startups that have emerged in recent years.

Even if individuals are unfamiliar with Postmeds, the company may have processed their prescriptions and managed their information. Truepill’s website states that since its establishment in 2016, it has dispensed 20 million prescriptions to 3 million people.

Postmeds recently informed federal regulators in a mandatory notice that 2.3 million individuals had their personal information compromised in the breach. The company commenced sending written notices to affected individuals in early November.

Data Breach Implications

In its data breach notice, Postmeds revealed that hackers obtained a substantial amount of sensitive data, including patient names, demographic details (such as dates of birth), prescribed medication types, and the prescriber’s name. In some instances, this information could imply the purpose of the medication, potentially including a person’s highly sensitive medical data concerning their mental, sexual, and reproductive health.

Some recipients of the data breach notification letters expressed to TechCrunch that they were unfamiliar with Postmeds and the reasons behind the company possessing their information.

“Both my partner and I were patients with Folx during overlapping periods, but I did not receive a notification letter,” stated a former Folx customer whose partner received a data breach notification.

Folx Health is a telehealth company serving the LGBTQIA+ community, providing clinicians who can prescribe medications supporting gender-affirming care. Folx previously utilized Truepill to fulfill customer prescriptions.

When questioned by TechCrunch, Folx’s chief operating officer, Dana Clayton, stated, “Folx terminated its relationship with Truepill in November of 2022. We are in communication with Truepill regarding the incident and are working to promptly evaluate any potential impact on our members.”

“Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with.” Former Folx customer

Clayton expressed, “Similar to other healthcare companies, we entrust prescriptions to various pharmacies based on member preferences, medication availability, cost, and other considerations. Folx takes the privacy of its members seriously and holds its partners to the highest security standards. Truepill’s data breach has been a source of significant disappointment and concern for us, and Folx is dedicated to keeping our members informed as we gather more information.”

The former Folx customer, employed in cybersecurity, informed TechCrunch that the data breach “presents a significant risk, particularly for a community that stands to lose a lot more if their data is compromised.”

Postmeds has not made any public statements beyond its data breach notice. TechCrunch reached out to Postmeds’ CEO, Paul Greenall, via email to obtain a list of affected companies partnered with Postmeds. However, Greenall did not respond.

Another individual who received a data breach notification letter mentioned being prescribed a continuous glucose monitor around a year ago by metabolic health startup Levels, which relies on Truepill for fulfilling its customers’ prescriptions for blood glucose monitors.

Upon contact by TechCrunch, Levels declined to affirm whether its U.S. clientele are impacted by the Postmeds breach.

Kate Burton-Barlow, representing Levels through a third-party agency, conveyed via email that Levels “previously established a relationship with Truepill in the U.K. in anticipation of a future U.K. launch, but that launch has not occurred, so Levels does not have any U.K. customers that could be affected.”

TechCrunch approached several healthcare companies utilizing Truepill for dispensing and shipping medications.

When queried by TechCrunch, Khobi Brooklyn, the spokesperson for Hims & Hers, did not contest that customer data was impacted by the Truepill-related breach. The spokesperson refrained from disclosing the number of affected Hims & Hers customers, emphasizing that not all of their customers had their prescriptions filled by Truepill.

Brooklyn stated, “Customer care and data security are top priorities at Hims & Hers, and we have made substantial investments in both. Although this was not a breach of our systems or data, it serves as a reminder to remain vigilant about the measures we undertake to protect our customers,” in an official statement.

Telehealth startup Cerebral, providing telehealth services and prescription medications for mental health conditions, informed TechCrunch that they have not engaged in a business relationship or shared patient information with Truepill since 2022. Cerebral’s spokesperson, Brittney Henderson, affirmed via email, “To date, we have not received any notification of a breach, and we have no reason to believe that any Cerebral patient’s [protected health information] has been improperly disclosed or accessed” (Cerebral previously disclosed sharing millions of patients’ data with advertisers for several years).

Several other pharmacies partnering with Truepill declined to comment prior to the article’s publication.

Cost Plus, Mark Cuban’s affordable online pharmacy, which relies on Truepill for shipping medications to customers, did not respond to requests for comment. Cuban invested an undisclosed amount in Truepill earlier in 2023.

Healthcare and prescription coupon giant GoodRx utilizes Truepill as its mail delivery partner. GoodRx’s spokesperson, Lauren Casparis, did not respond to requests for comment.

TechCrunch discovered that Nutrisense, a tech startup providing continuous glucose monitors through prescriptions, utilizes Truepill for fulfilling certain orders. However, Nutrisense’s CEO, Alex Skryl, did not respond to an email request for comment.

The HIPAA Connection

It is common for tech and healthcare companies to share patient data with other entities, such as third-party or specialty pharmacies, to deliver their services.

U.S. healthcare providers, including medical practices, pharmacies, and insurance companies, are subject to the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).

The regulations stipulated in the Health Insurance Portability and Accountability Act (HIPAA) govern the proper management of patient data security and privacy by healthcare providers. Failing to comply with HIPAA can lead to substantial fines.

Many telehealth startups are not classified as “covered entities” under HIPAA and, as a result, HIPAA often does not apply to them. This is because these startups do not directly provide care; rather, they connect patients with healthcare providers.

According to a report by Consumer Reports, HIPAA establishes privacy rules for healthcare providers and insurance companies when handling personally identifiable medical data. However, the same piece of information protected at a doctor’s office may be entirely unregulated in other settings.

Both Hims & Hers and Cerebral have stated in their privacy policies that while state privacy laws may apply to them, HIPAA does not necessarily apply, even when health information is involved. Consequently, when companies claim to be “HIPAA compliant,” it may simply mean that HIPAA does not apply to them.

The United States lacks a national data security or privacy law and relies on a patchwork of state laws, which vary from state to state. Consequently, most Americans live in states that provide little to no protection against the sharing of their personal information.

In most cases, companies outline how they handle customer or patient data in their privacy policy, without being obliged to disclose the specific companies they collaborate with.

Two individuals who received data breach notification letters from Postmeds and were interviewed for this story, criticized the companies that issued their prescriptions for lacking transparency concerning their business partnerships and the recipients of their sensitive personal information.

One of the impacted individuals remarked, “Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with.”

Furthermore, there are several Reddit threads where individuals who received data breach notifications from Postmeds expressed uncertainty about which company supplied Postmeds with their information.

The recent breach is the latest in a series of challenges for Truepill, which underwent multiple rounds of layoffs, including its product team and all U.K. employees. Moreover, Truepill’s co-founder, Sid Viswanathan, was ousted from the company, and the company settled with the U.S. Drug Enforcement Administration over claims of illegally dispensing controlled substances.

If you work at a healthcare organization affected by the Postmeds/Truepill breach, you can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or by email, or reach out to Carly Page securely on Signal at +441536 853968 or by email. You can also contact TechCrunch via SecureDrop.

Source link: Link

Leave a Comment