The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach

Posted By on Nov 14, 2023

Postmeds, Inc., a company that does business as Truepill and fulfills mail order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.

Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.

A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.

Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist