Postmeds Agrees to $7.5 Million Settlement to Resolve Data Breach Lawsuit
The online pharmacy Postmeds Inc., which does business as Truepill, has agreed to settle a class action lawsuit filed in response to a 2023 data breach that affected 2,364,359 individuals. The plaintiffs’ proposed $7.5 million settlement was granted preliminary approval by the U.S. district court judge, Judge Haywood S. Gilliam, on Tuesday this week.
Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – In Re: Post Meds, Inc. Data Breach Litigation – as they were based on the same facts and made similar claims. The consolidated lawsuit alleged that Postmeds failed to implement reasonable and appropriate security measures to protect the sensitive data it stored, which allowed a bad actor to gain access to its network and files used for pharmacy and fulfillment services.
The consolidated lawsuit alleged negligence, breach of implied contract, unjust enrichment/quasi-contract, invasion of privacy-intrusion upon seclusion, and violations of the California Unfair Competition Law, California Confidentiality of Medical Information Act, California Customer Records Act, the California Constitution Article § 1, and the Illinois Consumer Fraud and Deceptive Business Practices Act.
Over several months after extensive arm’s length negotiations, all parties agreed to a settlement to bring the litigation to an end, with Postmeds admitting to no wrongdoing. Under the terms of the settlement, all individuals who received a notification letter about the data breach are part of a single nationwide class and are entitled to submit claims for out-of-pocket expenses incurred as a result of the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Claims may be submitted for documented out-of-pocket expenses and monetary losses of up to $4,000, plus a claim may also be made for a cash payment. In lieu of the cash payment, class members may claim one year of data protection and credit monitoring services from Privacy Shield. Claims will be paid after legal costs and expenses, attorneys’ fees, and service awards have been deducted. Any residual funds in the settlement amount will be distributed pro rata to the class members after the claims have been paid.
Class counsel received assurances that Postmeds has updated its business practices regarding data security to prevent similar data breaches in the future. Class members have been given 60 days to object to or exclude themselves from the settlement, claims must be submitted within 90 days, and the final approval hearing will be scheduled by the court no sooner than 120 days after the notice date. The plaintiffs and class members were represented by Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, James J. Pizzirusso of Hausfeld LLP, and Jill M. Manning of Pearson Warshaw, LLP.
Nov 14, 2023: Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach
Postmeds, Inc., a company that does business as Truepill and fulfills mail-order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.
Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.
A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.
Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.
