HQ/EMEAFind out how we can help your business
One of the most prominent B2B-focused pharmacy platforms, Truepill, under Postmeds, faces backlash after it notified 2.3 million potentially impacted customers about a data breach incident.
Truepill, known for its API-driven order fulfilment and delivery services for direct-to-consumer brands and healthcare organisations, recently announced unauthorised network access to its systems that occurred in August 2023.
The Truepill data breach incident could be catastrophic to its customers as the attackers could have acquired critical information.
According to the advisory, the Truepill breach exposed various types of data, such as sensitive personal information, including full names, medication types, demographic details, and prescribing physicians’ names. Fortunately, the exposed information does not include Social Security numbers, but it poses a significant risk for phishing and social engineering attacks.
On the other hand, most of the affected individuals who received the advisory expressed confusion since they claimed they had never heard of Truepill. Moreover, this incident raised questions about how the attack compromised their data.
The data breach also triggered multiple class-action lawsuits across the United States, with plaintiffs arguing that Postmeds has incompetent security practices since it does not employ encryption on stored healthcare information, contributing to its severity.
The lawsuits also target the delayed notification process, spanning over two months before informing affected individuals. During this period, some victims spotted suspicious activities on their Venmo accounts and later discovered their information for sale on the various cybercriminal markets.
Furthermore, other affected parties also expressed their concerns about the vague content of the breach notices. Many explained that the notifications lack crucial details about the intrusion methods, leaving recipients without guidance on protecting themselves against threats and other potential hacking attempts.
The platform has not yet provided identity theft protection services to its customers.
Law firms that present the affected individuals also claimed that the Postmeds reports are incomplete. They believe the incident has also acquired additional details, such as addresses, dates of birth, medical treatment information, diagnosis records, and health insurance information.
The legal battles ahead could significantly change the cybersecurity providers for pharmaceutical clients as these backlashes emphasise the importance of robust security measures and timely breach notifications. As of now, Truepill’s reputation and its healthcare data security provider are under intense criticism.
