Image Source: Craig F. Walker/The Boston Globe/Getty Images
More than 2 million people across the United States will receive notifications that their personal and sensitive health information was stolen in a cyberattack earlier this year on Postmeds, the parent company of online pharmacy startup Truepill.
For some of those affected, this was the first time they had heard of Postmeds, let alone the company that lost sensitive personal and health information during the data breach.
News of the data breach also appears to have caught healthcare startups that had previously relied on Postmeds to fill customer prescriptions off guard.
Postmeds or Truepill is an online pharmacy fulfillment startup that fills and mails medications to customers for well-known telemedicine services and other pharmacies. Postmeds delivers prescriptions through Truepill to customers of Folx, Hims and GoodRx, as well as other popular online telemedicine startups that have emerged in recent years.
Even if you’ve never heard of Postmeds, the company may be dispensing your prescriptions and processing your information. Truepill’s website says it has filled 20 million prescriptions to 3 million people since it was founded in 2016.
Postmeds recently told federal regulators in a legally required notice that the personal information of 2.3 million people was stolen in the breach. The company began sending written notices to affected individuals in early November.
Data breaches ‘pose huge risks’
Postmeds said in its data breach notification that the hackers stole a large amount of sensitive data, including patient names and demographic information such as date of birth, types of medications prescribed and names of prescribers. In some cases, this information can allow inferences about the reason for taking the medication, which may include a person’s highly sensitive medical information, such as details about their mental, sexual and reproductive health.
Some people who received data breach notification letters told TechCrunch they were unfamiliar with Postmeds and didn’t understand why the company had their information.
“My partner and I also had overlapping time periods and we were both Folx patients, but I never received a letter,” one former Folx customer told TechCrunch about his partner receiving a data breach notification.
Folx Health is a telemedicine company serving the LGBTQIA+ community, where clinicians can prescribe medications that support gender-affirming care. Folx said the company has previously used Truepill to meet customers’ prescription needs.
When reached for comment by TechCrunch, Folx COO Dana Clayton told TechCrunch: “Folx ended its relationship with Truepill in November 2022. We are in contact with Truepill regarding the incident and are working on it Quickly assess any potential impact on our members. ”
“When I received my first package and saw ‘Truepill’ on the box from Folx, I realized, and I admitted it too late, that my data had been sent to someone with whom I had no personal trust relationship. organize.” Former Folx customer
“Like other health care companies, we send prescriptions to a variety of pharmacies based on member selection, drug availability, cost and other factors. Folx takes our members’ privacy very seriously and requires its partners to adhere to the strictest security standards,” Clayton said. . “We are deeply disappointed and concerned by the Truepill data breach, and Folx is committed to keeping our members informed.”
The former Folx customer, who works in cybersecurity, told TechCrunch that the data breach “poses a huge risk, especially for a community that has suffered huge losses from data breaches.”
Postmeds has not commented publicly beyond the data breach notification. TechCrunch asked Postmeds CEO Paul Greenall in an email for a list of companies that work with Postmeds and whose customers have been affected. Greenall didn’t respond.
Another person who received a data breach notification letter said they were prescribed a continuous glucose monitor about a year ago by metabolic health startup Levels Health, which relies on Truepill to fill customer prescriptions for the glucose monitor.
Levels did not disclose whether its U.S. customers were affected by the Postmeds data breach when contacted by TechCrunch.
Kate Burton-Barlow, who represents Levels through a third-party agency, said in an email that Levels “previously had a relationship with UK-based Truepill and expected a future launch in the UK, but that launch has not yet occurs, so Levels does not have any UK customers who may be affected.”
TechCrunch contacted several health care companies that rely on Truepill to distribute and mail medications.
When TechCrunch reached out to Hims spokesperson Khobi Brooklyn for comment, he did not deny that customer data was affected by the Truepill breach. The spokesperson would not say how many Hims customers were affected, but noted that not all Hims customers’ prescriptions were filled by Truepill.
“Customer service and data security are top priorities at Hims & Hers, we invest heavily in both areas and we are proud of our record. While this is not a breach of our systems or data, it is a reminder that we continue to We remain vigilant about the steps we take to protect our customers,” Brooklyn said in a statement.
Telemedicine startup Cerebral, which provides telemedicine services and prescription drugs for mental health issues, told TechCrunch that it has no business relationship or shared patient information with Truepill as of 2022. “To date we have not seen any breach notices and we have no reason to believe that anyone with encephalopathy [protected health information] has been disclosed or accessed without permission,” Cerebral spokesperson Brittney Henderson said in an email. (Cerebral separately disclosed earlier this year that it had shared the data of millions of patients with advertisers over the years.)
TechCrunch reached out to several other pharmacies that work with Truepill before publication but did not provide comment.
CostPlus, the low-cost online pharmacy founded by Mark Cuban that relies on Truepill to ship medications to customers, did not respond to a request for comment. Cuban invested an undisclosed amount in Truepill in early 2023.
Healthcare and prescription coupon giant GoodRx relies on Truepill as its mail delivery partner. GoodRx spokesperson Lauren Casparis did not respond to a request for comment.
TechCrunch has learned that Nutrisense, a tech startup that offers continuous glucose monitors by prescription, uses Truepill to fulfill some orders. Nutrisense CEO Alex Skryl did not respond to an email seeking comment.
HIPAA connection
It is not uncommon for technology or healthcare companies to share patient data with third parties or other companies, such as specialty pharmacies, to perform their services.
U.S. health care providers, such as doctor’s offices and pharmacies, as well as insurance companies are required to comply with health privacy and security rules set forth in the Health Insurance Portability and Accountability Act (HIPAA), which regulates health care providers, in part How to properly manage patient data security and privacy. Violations of HIPAA can result in significant fines.
But many telemedicine startups are not considered “covered entities” under HIPAA, and HIPAA often does not apply because the startups themselves do not provide care, but rather connect patients to health care providers.
As Consumer Reports points out, HIPAA “does set privacy rules for health care providers and insurance companies to follow when handling personally identifiable medical data,” but the same information protected in a doctor’s office “doesn’t exist in other settings.” may be completely unregulated.” “
Both Hims and Cerebral note in their privacy policies that while state privacy laws may apply, HIPAA “does not necessarily apply to an entity or person simply because it involves health information.” A company’s claim that it is “HIPAA compliant” may mean that HIPAA does not apply them.
The United States has no national data security or privacy laws, instead relying on a patchwork of laws that vary from state to state. Most Americans live in states with few or no protections for the sharing of personal information.
Instead, companies typically detail how they process customer or patient data in their privacy policies, but are under no obligation to disclose which specific companies they work with.
Both men, who received Postmeds’ data breach notification letter and were interviewed about it, criticized the prescribing company’s lack of transparency about who its business partners are and which partners will receive their sensitive personal information. .
“When I received my first package and saw “Truepill” on the box from Folx, I realized, and I admitted it too late, that my data had been sent to someone with whom I personally did not have a trusting relationship. organization,” the former Folx user told TechCrunch.
Multiple posts on Reddit received comments from users who were notified of the data breach by Postmeds, but were unsure which company provided their information to Postmeds.
“I just got this letter and I don’t know which doctor it’s through,” one person said. “Got this letter too. Don’t know about the company,” said another.
The breach is the latest incident for troubled Truepill.
Truepill has undergone multiple rounds of redundancies in 2022, including a large number of product teams and all UK employees. In September, Truepill co-founder Sid Viswanathan was kicked out of the company.
Earlier this month, Truepill reached a settlement with the U.S. Drug Enforcement Administration over allegations that it illegally dispensed thousands of prescriptions for controlled substances, in which Truepill “admitted liability for operating an unregistered online pharmacy.”
Is your healthcare organization affected by the Postmeds/Truepill breach? You can contact Zack Whittaker via Signal and WhatsApp +1 646-755-8849 or via email; you can also contact Carly Page securely via Signal (+441536 853968) or via email. You can also contact TechCrunch through SecureDrop.