Truepill, a digital health startup that provides pharmacy fulfillment services to healthcare organizations, confirmed that hackers accessed the personal data of more than 2.3 million patients.
In a data breach notification posted on its website, the company says Postmeds, the parent company behind TruePill, experienced a “cybersecurity incident” that allowed anonymous attackers to access files used for pharmacy management and fulfillment services between Aug. 30 and September 1st.
Getting in touch
Do you have more information about the Truepill data breach? Carly Page can be reached securely on Signal on +441536 853968 or by email. You can also contact TechCrunch via SecureDrop.
The company’s investigation found that the files it accessed contained sensitive customer information, including patient names, unspecified demographic information, the type of drug and the name of the patient’s prescribing physician. Truepill said Social Security numbers are not involved, as the company does not receive that information.
Truepill confirmed that 2.3 million patients were affected according to the required legal filing filed with the US Department of Health and Human Services Data Breach Reporting Portal. Truepill’s website says the company has served more than three million patients and dispensed 20 million prescriptions since its founding in 2016.
Truepill said it was strengthening its security protocols and providing additional cybersecurity training for its employees. The company did not say how its systems were breached or what specific measures it has implemented to prevent future breaches, and a spokesperson did not respond to TechCrunch’s questions.
The data breach — news of which was first shared with affected individuals on October 30 — is already the subject of class action, which alleges that the cyber incident was a direct result of Postmeds’ failure to implement adequate data security measures to safeguard customer information. Specifically, the complaint accuses the company of failing to encrypt sensitive healthcare information stored on its servers.
Last week, Truepill settled with the US Drug Enforcement Administration after complaints the pharmacy was illegally dispensing thousands of prescriptions for controlled substances.
“With this settlement, Truepill has accepted liability for operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances that exceed the 90-day limit, and filling prescriptions written by medical providers who did not have the required permits, all in violation of federal law,” the DEA wrote in a Nov. 6 news release.