Greater than two million individuals throughout the US will obtain discover that their private and delicate well being info was stolen earlier this yr throughout a cyberattack at Postmeds, the guardian firm of on-line pharmacy startup Truepill.
For a few of these affected, it’s the primary they’re listening to of Postmeds, not to mention that the corporate misplaced their delicate private and well being info through the information breach.
Information of the info breach additionally appeared to catch off-guard healthcare startups that beforehand relied on Postmeds to satisfy their clients’ prescriptions.
Postmeds, or Truepill, is an internet pharmacy achievement startup that fills prescriptions for big-name telehealth providers and different pharmacies, and mails drugs to their clients. Postmeds, by means of Truepill, has fulfilled prescriptions for purchasers of Folx, Hims, and GoodRx, and different widespread on-line telehealth startups which have emerged in recent times.
Even when you’ve by no means heard of Postmeds, the corporate could have crammed certainly one of your prescriptions and dealt with your info. Truepill’s web site says it has delivered 20 million prescriptions to 3 million individuals since its founding in 2016.
Postmeds not too long ago instructed federal regulators in a legally required discover that 2.3 million people had their private info stolen within the breach. The corporate started sending written notices to affected people in early November.
Information breach “presents a huge risk”
In its information breach discover, Postmeds mentioned hackers stole a trove of delicate information, together with affected person names and demographic info — comparable to dates of start — the kind of prescribed drugs and the prescriber’s identify. In some circumstances that info can infer the rationale for taking the remedy, which might embody an individual’s extremely delicate medical info, comparable to particulars about their psychological, sexual, and reproductive well being.
A few of those that acquired information breach notification letters instructed TechCrunch that they have been unfamiliar with Postmeds and why the corporate had their info.
“Me and my partner also had overlapping times in which we were both patients with Folx, but I never got a letter,” a former Folx buyer, whose companion acquired a knowledge breach notification, instructed TechCrunch.
Folx Well being is a telehealth firm that caters for the LGBTQIA+ group, with clinicians who can prescribe drugs that help gender-affirming care. Folx mentioned it beforehand used Truepill to satisfy buyer prescriptions.
When reached for remark by TechCrunch, Folx chief working officer Dana Clayton instructed TechCrunch: “Folx terminated its relationship with Truepill in November of 2022. We are in touch with Truepill about the incident and are working to quickly assess any potential impact to our members.”
“Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with.” Former Folx buyer
“Like other healthcare companies, we send prescriptions to a wide range of pharmacies based on member choice, medication availability, cost, and other factors. Folx takes its members’ privacy seriously and holds its partners to the strictest security standards,” mentioned Clayton. “Truepill’s data breach has been a matter of considerable disappointment and concern for us, and Folx is committed to keeping our members informed as we learn more.”
The previous Folx buyer, who works in cybersecurity, instructed TechCrunch that the info breach “presents a huge risk, especially for a community that stands to lose so much more by having that data compromised.”
Postmeds has not publicly commented past its information breach discover. TechCrunch requested Postmeds chief government Paul Greenall in an electronic mail to offer a listing of firms that Postmeds partnered with whose clients are affected. Greenall didn’t reply.
One other one who acquired a knowledge breach notification letter mentioned they have been prescribed a steady glucose monitor a yr or so in the past by metabolic well being startup Ranges Well being, which depends on Truepill for fulfilling its clients’ prescriptions for blood glucose screens.
When contacted by TechCrunch, Ranges wouldn’t say if its clients in the US are affected by the Postmeds breach.
Kate Burton-Barlow, representing Ranges through a third-party company, mentioned in an electronic mail that Ranges “formerly established a relationship with Truepill in the U.K. in anticipation of a future U.K. launch, but that launch has not taken place, so Levels does not have any U.K. customers that this could have affected.”
TechCrunch contacted a number of healthcare firms that relied on Truepill to dispense and mail drugs.
When reached for remark by TechCrunch, Hims spokesperson Khobi Brooklyn didn’t dispute that buyer information was affected by the breach involving Truepill. The spokesperson wouldn’t say what number of Hims clients are affected, however famous that not all of Hims clients had their prescriptions crammed by Truepill.
“Customer care and data security are top priorities at Hims & Hers, we’ve invested heavily in both, and we’re proud of our record. While this wasn’t a breach of our systems or data, it’s a reminder to continue to stay vigilant around the steps we take to safeguard our customers,” Brooklyn mentioned in an announcement.
Telehealth startup Cerebral, which gives telehealth providers and prescription drugs for psychological well being circumstances, instructed TechCrunch that it has not had a enterprise relationship or shared affected person info with Truepill since 2022. “To date, we have not seen any notification of a breach and we have no reason to believe that any Cerebral patient’s [protected health information] has been impermissibly disclosed or accessed,” Cerebral spokesperson Brittney Henderson mentioned in an electronic mail. (Cerebral individually disclosed earlier this yr that it had shared thousands and thousands of sufferers’ information with advertisers for a number of years.)
A number of different pharmacies who labored with Truepill didn’t remark when contacted by TechCrunch previous to publication.
CostPlus, the lower-cost on-line pharmacy based by Mark Cuban, which depends on Truepill for transport drugs to clients, didn’t reply to requests for remark. Cuban invested an undisclosed quantity in Truepill earlier in 2023.
Healthcare and prescription coupon large GoodRx depends on Truepill as its mail supply companion. GoodRx spokesperson Lauren Casparis didn’t reply to requests for remark.
TechCrunch realized that Nutrisense, a tech startup that gives steady glucose screens by prescription, makes use of Truepill to satisfy some orders. Nutrisense chief government Alex Skryl didn’t reply to an electronic mail requesting remark.
The HIPAA connection
It’s not unusual for tech or healthcare firms to share affected person information with different firms, comparable to third-party or specialty pharmacies, to satisfy their providers.
U.S. healthcare suppliers, like docs places of work and pharmacies, and insurance coverage firms are topic to the well being privateness and safety guidelines set out within the Well being Insurance coverage Portability and Accountability Act, or HIPAA, which partially governs how healthcare suppliers ought to correctly handle affected person information safety and privateness. Falling foul of HIPAA may end up in heavy fines.
However quite a lot of telehealth startups should not thought-about “covered entities” underneath HIPAA, and HIPAA typically doesn’t apply, as a result of the startups themselves don’t present care, slightly they join sufferers with healthcare suppliers.
As Shopper Stories notes, HIPAA “does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data,” however the identical piece of data protected at a health care provider’s workplace “can be totally unregulated in other settings.”
Each Hims and Cerebral be aware of their privateness insurance policies that whereas state privateness legal guidelines could apply, HIPAA “does not necessarily apply to an entity or person simply because there is health information involved.” Corporations saying they’re “HIPAA compliant” can imply that HIPAA doesn’t apply to them.
The U.S. doesn’t have a nationwide information safety or privateness legislation, and as an alternative depends on a patchwork of state legal guidelines that fluctuate state-by-state. Most People reside in states which have little to no protections towards the sharing of an individual’s info.
As a substitute, firms normally spell out how they deal with buyer or affected person information of their privateness coverage, however should not obligated to reveal which particular firms they work with.
The 2 individuals, who acquired information breach notification letters from Postmeds and spoke with us for this story, each criticized the businesses who issued their prescriptions for missing transparency about who their enterprise companions are and which of these companions would obtain their delicate private info.
“Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with,” the previous Folx person instructed TechCrunch.
A number of threads on Reddit have feedback from individuals who acquired information breach notifications from Postmeds, however should not certain which firm equipped Postmeds with their info.
“I just got this letter and I have no idea which doctor this would even be through,” mentioned one individual. “Also received this letter. No knowledge of the company,” mentioned one other.
The breach is the newest incident to befall the embattled Truepill.
Truepill underwent a number of rounds of layoffs in 2022, together with massive swaths of its product group and all of its U.Okay. staff. In September, Truepill co-founder Sid Viswanathan was pushed out of the corporate.
Earlier this month, Truepill settled with the U.S. Drug Enforcement Administration claims that it illegally allotted hundreds of prescriptions for managed substances, by which Truepill “accepted responsibility for operating an unregistered online pharmacy.”
Do you’re employed at a healthcare group that’s affected by the Postmeds/Truepill breach? You’ll be able to contact Zack Whittaker on Sign and WhatsApp at +1 646-755-8849 or by electronic mail; you can even contact Carly Web page securely on Sign at +441536 853968 or by electronic mail. You may also contact TechCrunch through SecureDrop.