Healthcare startups scramble to absorb fallout after Postmeds data breach hits millions of patients

More than two million people across the United States will receive notification that their personal and sensitive health information was stolen earlier this year during a cyberattack on Postmeds, the parent company of online pharmacy startup Truepill.

For some of those affected, this is the first they’ve heard of Postmed, especially since the company lost their sensitive personal and health information during the data breach.

News of the data breach also appears to have caught off-guard healthcare startups that once relied on Postmeds to fulfill their customers’ prescriptions.

Postmed, or Truepill, is an online pharmacy fulfillment startup that fills prescriptions for major telehealth services and other pharmacies, and ships medications to their customers. Postmed, through Truepill, has fulfilled prescriptions for customers of Folx, Hims, and GoodRx, and other popular online telehealth startups that have emerged in recent years.

Even if you’ve never heard of Postmeds, the company may be filling one of your prescriptions and managing your information. Truepill’s website says it has dispensed 20 million prescriptions to three million people since it was founded in 2016.

Postmed recently told federal regulators in a legally required notification that 2.3 million individuals had their personal information stolen in the breach. The company began sending written notices to affected individuals in early November.

Data breach “poses a huge risk”

In his data breach notification, Postmeds said the hackers stole a trove of sensitive data, including patient names and demographic information — such as dates of birth — the type of prescription drugs and the name of the prescriber. In some cases that information may be considered a reason for taking medication, which may include highly sensitive medical information about a person, such as details about their mental, sexual, and reproductive health.

Some of those who received data breach notification letters told TechCrunch they were not familiar with Postmeds and why the company had their information.

“My partner and I also had overlapping periods where we were both Folx patients, but I never got a letter,” said a former Folx customer, whose partner received a breach notice. data, told TechCrunch.

Folx Health is a telehealth company that caters to the LGBTQIA+ community, with clinicians who can prescribe medications that support gender-affirming care. Folx said it previously used Truepill to fill customer prescriptions.

When reached for comment by TechCrunch, Folx chief operating officer Dana Clayton told TechCrunch: “Folx ended its relationship with Truepill in November of 2022. We contacted Truepill about the incident and are working to quickly investigate. any potential impact on our members. “

“When I got my first package and saw ‘Truepill’ in the box from Folx, I realized, admittedly late on my part, that my data was sent to an organization that I personally did not enter a trust relationship. Former Folx customer

“Like other health care companies, we send prescriptions to multiple pharmacies based on member choice, drug availability, cost, and other factors. Folx takes its members’ privacy seriously and maintains its partners to the strictest security standards,” Clayton said. “The Truepill data breach is a matter of great disappointment and concern for us, and Folx is committed to keeping our members informed as we progress. still on.”

A former Folx customer, who works in cybersecurity, told TechCrunch that the data breach “poses a huge risk, especially for a community that has more to lose by compromising that data.”

Postmed did not comment publicly beyond its data breach announcement. TechCrunch asked Postmed chief executive Paul Greenall in an email to provide a list of companies associated with Postmeds whose customers were affected. Greenall did not answer.

Another person who received a data breach notification letter said they were prescribed a continuous glucose monitor a year or so ago by metabolic health startup Levels Health, which relies on Truepill for fulfillment. its customers’ prescriptions for blood glucose monitors.

When contacted by TechCrunch, Levels would not say whether its customers in the United States were affected by the Postmeds breach.

Kate Burton-Barlow, who represents Levels through a third-party agency, said in an email that Levels had “previously established a relationship with Truepill in the UK in anticipation of an upcoming UK launch, but that launch didn’t happen, so Levels didn’t. are there any UK customers who might be affected by it.”

TechCrunch contacted several healthcare companies that rely on Truepill to dispense and ship the drugs.

When reached for comment by TechCrunch, Hims spokesperson Khobi Brooklyn did not dispute that customer data was affected by the breach involving Truepill. The spokesperson would not say how many Hims customers were affected, but noted that not all of Hims customers had their prescriptions filled with Truepill.

“Customer care and data security are top priorities at Hims & Hers, we’ve invested heavily in both, and we’re proud of our track record. Although this wasn’t a breach of our systems or data, it’s a reminder to continue to be vigilant in the steps we take to protect our customers,” Brooklyn said in a statement.

Telehealth startup Cerebral, which provides telehealth services and prescription drugs for mental health conditions, told TechCrunch that it has had no business relationship or shared patient information with Truepill since 2022. There is no reason to believe that any Cerebral patient (protected health information) is not permitted to be disclosed or accessed,” Cerebral spokeswoman Brittney Henderson said in an email. (Cerebral separately disclosed earlier this year that it shared millions of patients’ data with advertisers over the years.)

Several other pharmacies that work with Truepill did not comment when contacted by TechCrunch ahead of publication.

CostPlus, the cheaper online pharmacy founded by Mark Cuban, which relies on Truepill for shipping drugs to customers, did not respond to requests for comment. Cuban invested an undisclosed amount in Truepill early 2023.

Giant health care and prescription coupon GoodRx relies on Truepill as a mail delivery partner. GoodRx spokeswoman Lauren Casparis did not respond to requests for comment.

TechCrunch has learned that Nutrisense, a tech startup that provides continuous glucose monitors by prescription, is using Truepill to fulfill some orders. Nutrisense chief executive Alex Skryl did not respond to an email requesting comment.

The HIPAA connection

It is common for tech or healthcare companies to share patient data with other companies, such as third parties or specialty pharmacies, to fulfill their services.

US healthcare providers, such as doctors’ offices and pharmacies, and insurance companies are subject to health privacy and security rules set forth in the Health Insurance Portability and Accountability Act, or HIPAA, which in a part governs how healthcare providers should manage patient data security and privacy. HIPAA violations can result in heavy fines.

But many telehealth startups aren’t considered “covered entities” under HIPAA, and HIPAA often doesn’t apply, because the startups themselves don’t provide care, rather they connect patients to healthcare providers. providers.

As Consumer Reports notes.

Hims and Cerebral note in their privacy policies that while state privacy laws may apply, HIPAA “does not necessarily apply to an entity or person simply because there is health information involved.” Companies that say they are “HIPAA compliant” may mean that HIPAA does not apply to them.

The US has no national data security or privacy laws, and instead relies on a patchwork of state laws that vary from state to state. Most Americans live in states that have little or no protection against sharing someone’s information.

Instead, companies usually spell out how they handle customer or patient data in their privacy policy, but are not obligated to disclose which specific companies they work for.

The two people, who received the data breach notification letters from Postmeds and spoke to us for this story, both criticized the companies that issue their prescriptions for a lack of transparency about who their business partners and which of those partners receive their sensitive personal information.

“When I got my first package and saw ‘Truepill’ in the box from Folx, I realized, admittedly late on my part, that my data was sent to an organization that I personally did not enter into one trusting relationship with,” the former Folx user told TechCrunch.

Several threads on Reddit have comments from people who have received data breach notifications from Postmeds, but aren’t sure which company provided Postmeds with their information.

“I just got this letter and I don’t know which doctor it could be,” said one person. “Received this letter as well. No knowledge of the company,” said another.

The breach is the latest incident at the embattled Truepill.

Truepill has undergone several rounds of layoffs in 2022, including large swaths of its product team and all UK employees. In September, Truepill co-founder Sid Viswanathan pushed out of the company.

Earlier this month, Truepill settled with the US Drug Enforcement Administration claiming that it illegally dispensed thousands of prescriptions for controlled substanceswhere Truepill “accepts the responsibility of operating an unregistered online pharmacy.”

Do you work for a healthcare organization affected by the Postmeds/Truepill breach? You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or via email; you can also contact Carly Page safely on Signal at +441536 853968 or by email. You can also contact TechCrunch through SecureDrop.

Leave a comment