Healthcare startups scramble to assess fallout after Postmeds data breach hits millions of patientsReading Time: 4 minutes
More than two million people across the United States will receive notice that their personal and sensitive health information was stolen earlier this year during a cyberattack at Postmeds, the parent company of online pharmacy startup Truepill.
For some of those affected, it’s the first they’re hearing of Postmeds, let alone that the company lost their sensitive personal and health information during the data breach.
News of the data breach also appeared to catch off-guard healthcare startups that previously relied on Postmeds to fulfill their customers’ prescriptions.
Postmeds, or Truepill, is an online pharmacy fulfillment startup that fills prescriptions for big-name telehealth services and other pharmacies, and mails medications to their customers. Postmeds, through Truepill, has fulfilled prescriptions for customers of Folx, Hims, and GoodRx, and other popular online telehealth startups that have emerged in recent years.
Even if you’ve never heard of Postmeds, the company may have filled one of your prescriptions and handled your information. Truepill’s website says it has delivered 20 million prescriptions to three million people since its founding in 2016.
Postmeds recently told federal regulators in a legally required notice that 2.3 million individuals had their personal information stolen in the breach. The company began sending written notices to affected individuals in early November.
Data breach ‘presents a huge risk’
In its data breach notice, Postmeds said hackers stole a trove of sensitive data, including patient names and demographic information — such as dates of birth — the type of prescribed medications and the prescriber’s name. In some cases that information can infer the reason for taking the medication, which can include a person’s highly sensitive medical information, such as details about their mental, sexual, and reproductive health.
Folx Health is a telehealth company that caters for the LGBTQIA+ community, with clinicians who can prescribe medications that support gender-affirming care. Folx said it previously used Truepill to fulfill customer prescriptions.
‘Like other healthcare companies, we send prescriptions to a wide range of pharmacies based on member choice, medication availability, cost, and other factors. Folx takes its members’ privacy seriously and holds its partners to the strictest security standards,’ said Clayton. ‘Truepill’s data breach has been a matter of considerable disappointment and concern for us, and Folx is committed to keeping our members informed as we learn more.’
Another person who received a data breach notification letter said they were prescribed a continuous glucose monitor a year or so ago by metabolic health startup Levels Health, which relies on Truepill for fulfilling its customers’ prescriptions for blood glucose monitors.
Kate Burton-Barlow, representing Levels via a third-party agency, said in an email that Levels ‘formerly established a relationship with Truepill in the U.K. in anticipation of a future U.K. launch, but that launch has not taken place, so Levels does not have any U.K. customers that this could have affected.’
‘Customer care and data security are top priorities at Hims & Hers, we’ve invested heavily in both, and we’re proud of our record. While this wasn’t a breach of our systems or data, it’s a reminder to continue to stay vigilant around the steps we take to safeguard our customers,’ Brooklyn said in a statement.
CostPlus, the lower-cost online pharmacy founded by Mark Cuban, which relies on Truepill for shipping medications to customers, did not respond to requests for comment. Cuban invested an undisclosed amount in Truepill earlier in 2023.
Healthcare and prescription coupon giant GoodRx relies on Truepill as its mail delivery partner. GoodRx spokesperson Lauren Casparis did not respond to requests for comment.
The HIPAA connection
It’s not uncommon for tech or healthcare companies to share patient data with other companies, such as third-party or specialty pharmacies, to fulfill their services.
U.S. healthcare providers, like doctors offices and pharmacies, and insurance companies are subject to the health privacy and security rules set out in the Health Insurance Portability and Accountability Act, or HIPAA, which in part governs how healthcare providers should properly manage patient data security and privacy. Falling foul of HIPAA can result in heavy fines.
But a lot of telehealth startups are not considered ‘covered entities’ under HIPAA, and HIPAA often does not apply, because the startups themselves do not provide care, rather they connect patients with healthcare providers.
As Consumer Reports notes, HIPAA ‘does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data,’ but the same piece of information protected at a doctor’s office ‘can be totally unregulated in other settings.’
Both Hims and Cerebral note in their privacy policies that while state privacy laws may apply, HIPAA ‘does not necessarily apply to an entity or person simply because there is health information involved.’ Companies saying they are ‘HIPAA compliant’ can mean that HIPAA does not apply to them.
The U.S. does not have a national data security or privacy law, and instead relies on a patchwork of state laws that vary state-by-state. Most Americans live in states that have little to no protections against the sharing of a person’s information.
The two people, who received data breach notification letters from Postmeds and spoke with us for this story, both criticized the companies who issued their prescriptions for lacking transparency about who their business partners are and which of those partners would receive their sensitive personal information.
Several threads on Reddit have comments from people who received data breach notifications from Postmeds, but are not sure which company supplied Postmeds with their information.
‘I just got this letter and I have no idea which doctor this would even be through,’ said one person. ‘Also received this letter. No knowledge of the company,’ said another.
The breach is the latest incident to befall the embattled Truepill.
Truepill underwent several rounds of layoffs in 2022, including large swaths of its product team and all of its U.K. employees. In September, Truepill co-founder Sid Viswanathan was pushed out of the company.
Earlier this month, Truepill settled with the U.S. Drug Enforcement Administration claims that it illegally dispensed thousands of prescriptions for controlled substances, in which Truepill ‘accepted responsibility for operating an unregistered online pharmacy.’
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG