Online Pharmacy Truepill’s Data Breach Impacts Over 2 Million Individuals

Postmeds, operating as Truepill, revealed that unauthorized actors had breached its system and accessed personal information of more than 2.3 million people.

Truepill, an online business-to-business (B2B) pharmacy provider, uses APIs to make pharmacy product deliveries from businesses to consumers (B2C) across all 50 states in the US.

In a public as well as individual email notification, the organization informed recipients about the cybersecurity incident, wherein unknown hackers accessed its internal network between August 30, and September 1, 2023. ‘’On August 31, 2023, we discovered that a bad actor gained access to a subset of files used for pharmacy management and fulfillment services,’’ the notification revealed.

The compromised information includes patients name, types of medication, demographic data (in some instances), and name of prescribing physician. Although the Social Security numbers were not a part of this breach, the exposed data leaves the impacted customers vulnerable to phishing and other types of social engineering attacks.

According to the data published on the US Department of Health and Human Services Office for Civil Rights’ portal, 2,364,359 individuals have been impacted by this breach. However, Truepill in its notification, did not disclose any details about the attack, number of impacted customers, nor type of information breached. Some of the impacted individuals express confusion on social media sites, claiming that they had never availed Truepill’s services.

The security data breach as well as delay in customer notification has resulted in legal ramifications for Truepill (Postmeds). In the past few days, several class action lawsuits have been filed against the organization, citing that it had not adhered to the requisite industrial guidelines for securing customer information. Moreover, insufficient disclosure and delayed notification have also been argued as reasons behind the lawsuit.