Truepill, a digital health startup that provides pharmacy fulfillment services for healthcare organizations, has confirmed that hackers accessed the personal data of more than 2.3 million patients.
In a data breach notice published on its website, the company says Postmeds, the parent company behind TruePill, experienced a “cybersecurity incident” that allowed unnamed attackers to gain access to files used for pharmacy management and fulfillment services between August 30 and September 1.
Get in touch
The company’s investigation found that the accessed files contained sensitive customer information, including patient names, unspecified demographic information, medication type and the name of the patient’s prescribing physician. Truepill said Social Security numbers were not involved, as the company does not receive this information.
Truepill confirmed 2.3 million patients were affected according to a required legal filing submitted to the U.S. Department of Health and Human Services’ data breach reporting portal. Truepill’s website says the company has served more than three million patients and delivered 20 million prescriptions since it was founded in 2016.
Truepill said it was enhancing its security protocols and rolling out additional cybersecurity training for employees. The company did not say how its systems were compromised or what specific measures it has implemented to prevent future breaches, and a spokesperson did not respond to TechCrunch’s questions.
The data breach — news of which was first shared with impacted individuals on October 30 — is already the subject of a class action lawsuit, which alleges that the cybersecurity incident was a direct result of Postmeds’ failure to implement adequate data security measures to safeguard customer information. Specifically, the complaint accuses the company of not encrypting sensitive healthcare information stored on its servers.
Last week, Truepill settled with the U.S. Drug Enforcement Administration over allegations the pharmacy illegally dispensed thousands of prescriptions for controlled substances.
“With this settlement, Truepill has accepted responsibility for operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances in excess of the 90-day limit and filling prescriptions written by medical providers who did not have the required licenses, all in violation of federal law,” the DEA wrote in a press release on November 6.