Decode the details of Truepill’s recent data breach, unveiling vulnerabilities that jeopardized the personal data of 2.3 million patients.
Truepill, a digital health startup, has acknowledged a security breach compromising personal data for 2.3 million patients. Postmeds, Truepill’s parent company, experienced a “cybersecurity incident,” granting attackers access to files used for pharmacy management and fulfillment services from August 30 to September 1. The breached files contained sensitive customer details, such as patient names, demographic data, medication types, and prescribing physicians’ names—excluding Social Security numbers.
In a data breach notice on its website, Truepill officially confirmed the impact on 2.3 million patients through the U.S. Department of Health and Human Services’ data breach reporting portal. Despite serving over three million patients and delivering 20 million prescriptions since its 2016 establishment, the company chose not to disclose specific details of the security compromise or the preventive measures taken. Simultaneously, Truepill is reinforcing security protocols and providing additional cybersecurity training for its staff to address vulnerabilities.
The breach, initially communicated on October 30, has prompted a class-action lawsuit. The legal action alleges that Postmeds’ failure to implement sufficient data security directly caused the cybersecurity incident. The complaint specifically accuses the company of neglecting to encrypt sensitive healthcare information stored on its servers.
Moreover, Truepill recently settled with the U.S. Drug Enforcement Administration (DEA) over allegations of illegally dispensing controlled substance prescriptions. This settlement acknowledges Truepill’s responsibility for operating an unregistered online pharmacy, exceeding the 90-day limit for Schedule II controlled substances, and fulfilling prescriptions from unlicensed medical providers, all in violation of federal law. The DEA’s November 6 press release highlighted these infractions and Truepill’s acceptance of responsibility.
Related stories:
