Over two million users hit by top US pharmacy provider data breach

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Truepill, formerly known as Postmeds, suffered a data breach that resulted in sensitive data on more than 2.3 million patients being stolen. 

The US Department of Health and Human Services Office for Civil Rights breach portal listed Truepill (or rather Postmeds) as being under investigation for a data breach that affected a total of 2,364,359 people. 

Furthermore, the company, a business-to-business pharmacy platform that provides pharmacy product deliveries from businesses to customers across the US via APIs, also began sending out breach notifications to affected customers, allegedly stating that it discovered the unauthorized access on August 31 2023 - although subsequent investigation revealed a data breach the day before.


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Lawsuits on the way?

As per the reports, the (yet) unidentified threat actors stole people’s full names, medication types, demographic information, and names of prescribing physicians. Social Security Numbers (SSN), payment data, or similar, were not taken. While that might sound like a silver lining, the fact remains that there is plenty of data here to run phishing or identity theft scams.

The breach already resulted in class-action lawsuits. The HIPAA Journal reported that the first lawsuit argued the company “failed to implement appropriate systems to prevent unauthorized access to patient data.” To make matters worse, this could be just one of many lawsuits to come Truepill’s way. BleepingComputer reported that some of the people who received data breach notifications never used the services and have no idea how the company obtained their data. The company also took too long to notify the affected individuals, which might also serve as grounds for a class-action lawsuit. 

Some regulations force businesses to disclose data breaches faster in order to protect consumers from possible social engineering attacks. It’s impossible to know how many emails, pretending to be sent from Truepill, people received in these past two and a half months.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.