Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach
Postmeds, Inc., a company that does business as Truepill and fulfills mail order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.
Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.
A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.
Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy