TruePills’ negligence to implement industry standard data practices jeopardizes identities of over 2.3 million current and former patients.
A class action lawsuit was recently filed against PostMeds, the company behind online pharmacy Truepill, alleging it is to blame for a cyberattack announced in October 2023 that compromised the personal data of current and former TruePill customers.
About PostMeds Inc. d/b/a/ TruePill
Truepill is a software company specializing in developing software for pharmacies and healthcare organizations. Founded in 2016, Truepill offers products such as open application programming interface and virtual pharmacy software to help its healthcare partners connect to patients online. Additionally, Truepill operates a nationwide network of mail order pharmacies, dispensing and shipping medications to all 50 states. Headquartered in San Mateo, California, Truepill has one location and employs more than 500 individuals.
On August 31, 2023, PostMeds, which does business as TruePill, discovered that a bad actor gained access to files used for pharmacy management and fulfillment services. The company said they immediately launched an investigation with the help of cybersecurity professionals and concluded that a hacker accessed the files between August 30, 2023 and September 1, 2023.
What Information Was Stolen?
A review determined the compromised files contained information including –
- patient names,
- medication type,
- demographic information
- prescribing physician name.
How Did This Happen?
The complaint alleges that the “foreseeable and preventable” cyberattack was a direct result of the TruePill’s failure to implement adequate data security measures to safeguard customer information. The online pharmacy purportedly stored the un-encrypted data in a “dangerous” and “vulnerable” condition in its network, the filing charges. As a result over 2.3 million current and former patients are now at permanent risk of identity theft and other forms of personal, social, and financial harm.
TruePIll Vague On Details Of Breach
The lawsuit also takes issue with the allegedly untimely and insufficient notification of data breach victims. PostMeds’ notice letter, which was sent to affected individuals about two months after the company reportedly detected the incident, failed to explain how cybercriminals gained access to the system, what specific demographic information was exposed and what steps are being taken to secure customer data in the future, the suit contends.
TruePill Failed To Implement Industry Standard Data Protections
According to the lawsuit, TruePill did not implement industry standard data protections as required under federal and state laws.
The lawsuit alleges that had TruePill remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted HIPAA recommended security measures, it could have prevented intrusion into its information storage and security systems and, ultimately, the theft of patients confidential information.
As a result of the company’s alleged negligence, victims like the plaintiff now face an ongoing risk of identity theft, fraud and other illegal misuse of their personal data, the filing asserts.
You Received A Notification Letter – What Do You Do Now?
If you were notified that your personal information may be at risk, it is important that you act quickly to protect yourself.
If you would like consult a lawyer to understand your rights or participate in the PostMeds class action, please complete the below form and a data breach lawyer will contact you. There is no cost or obligation.
The lawsuit looks to represent anyone in the United States whose private information was compromised in the data breach announced by PostMeds in October 2023.