Healthcare startups scramble to evaluate fallout after Postmeds data breach hits thousands and thousands of sufferers

Greater than two million individuals throughout the US will obtain discover that their private and delicate well being info was stolen earlier this yr throughout a cyberattack at Postmeds, the mum or dad firm of on-line pharmacy startup Truepill.

For a few of these affected, it’s the primary they’re listening to of Postmeds, not to mention that the corporate misplaced their delicate private and well being info in the course of the data breach.

Information of the data breach additionally appeared to catch off-guard healthcare startups that beforehand relied on Postmeds to satisfy their clients’ prescriptions.

Postmeds, or Truepill, is a web-based pharmacy success startup that fills prescriptions for big-name telehealth providers and different pharmacies, and mails medicines to their clients. Postmeds, by Truepill, has fulfilled prescriptions for patrons of Folx, Hims, and GoodRx, and different widespread on-line telehealth startups which have emerged lately.

Even for those who’ve by no means heard of Postmeds, the corporate could have crammed one among your prescriptions and dealt with your info. Truepill’s web site says it has delivered 20 million prescriptions to 3 million individuals since its founding in 2016.

Postmeds not too long ago advised federal regulators in a legally required discover that 2.3 million people had their private info stolen within the breach. The corporate started sending written notices to affected people in early November.

Data breach “presents an enormous threat”

In its data breach discover, Postmeds mentioned hackers stole a trove of delicate knowledge, together with affected person names and demographic info — reminiscent of dates of start — the kind of prescribed medicines and the prescriber’s identify. In some instances that info can infer the explanation for taking the treatment, which may embody an individual’s extremely delicate medical info, reminiscent of particulars about their psychological, sexual, and reproductive well being.

A few of those that acquired data breach notification letters advised information.killnetswitch that they had been unfamiliar with Postmeds and why the corporate had their info.

“Me and my companion additionally had overlapping instances by which we had been each sufferers with Folx, however I by no means received a letter,” a former Folx buyer, whose companion acquired a data breach notification, advised information.killnetswitch.

When reached for remark by information.killnetswitch, Folx chief working officer Dana Clayton advised information.killnetswitch: “Folx terminated its relationship with Truepill in November of 2022. We’re in contact with Truepill concerning the incident and are working to rapidly assess any potential affect to our members.”

“Like different healthcare corporations, we ship prescriptions to a variety of pharmacies based mostly on member selection, treatment availability, value, and different components. Folx takes its members’ privateness severely and holds its companions to the strictest security requirements,” mentioned Clayton. “Truepill’s data breach has been a matter of appreciable disappointment and concern for us, and Folx is dedicated to conserving our members knowledgeable as we study extra.”

The previous Folx buyer, who works in cybersecurity, advised information.killnetswitch that the data breach “presents an enormous threat, particularly for a neighborhood that stands to lose a lot extra by having that knowledge compromised.”

Postmeds has not publicly commented past its data breach discover. information.killnetswitch requested Postmeds chief government Paul Greenall in an e mail to offer a listing of corporations that Postmeds partnered with whose clients are affected. Greenall didn’t reply.

One other one who acquired a data breach notification letter mentioned they had been prescribed a steady glucose monitor a yr or so in the past by metabolic well being startup Ranges Well being, which depends on Truepill for fulfilling its clients’ prescriptions for blood glucose displays.

When contacted by information.killnetswitch, Ranges wouldn’t say if its clients in the US are affected by the Postmeds breach.

Kate Burton-Barlow, representing Ranges by way of a third-party company, mentioned in an e mail that Ranges “previously established a relationship with Truepill within the U.Okay. in anticipation of a future U.Okay. launch, however that launch has not taken place, so Ranges doesn’t have any U.Okay. clients that this might have affected.”

information.killnetswitch contacted a number of healthcare corporations that relied on Truepill to dispense and mail medicines.

When reached for remark by information.killnetswitch, Hims spokesperson Khobi Brooklyn didn’t dispute that buyer knowledge was affected by the breach involving Truepill. The spokesperson wouldn’t say what number of Hims clients are affected, however famous that not all of Hims clients had their prescriptions crammed by Truepill.

“Buyer care and knowledge security are high priorities at Hims & Hers, we’ve invested closely in each, and we’re pleased with our file. Whereas this wasn’t a breach of our techniques or knowledge, it’s a reminder to proceed to remain vigilant across the steps we take to safeguard our clients,” Brooklyn mentioned in an announcement.

Telehealth startup Cerebral, which offers telehealth providers and prescription medicines for psychological well being circumstances, advised information.killnetswitch that it has not had a enterprise relationship or shared affected person info with Truepill since 2022. “To this point, now we have not seen any notification of a breach and now we have no cause to imagine that any Cerebral affected person’s [protected health information] has been impermissibly disclosed or accessed,” Cerebral spokesperson Brittney Henderson mentioned in an e mail. (Cerebral individually disclosed earlier this yr that it had shared thousands and thousands of sufferers’ knowledge with advertisers for a number of years.)

A number of different pharmacies who labored with Truepill didn’t remark when contacted by information.killnetswitch previous to publication.

CostPlus, the lower-cost on-line pharmacy based by Mark Cuban, which depends on Truepill for delivery medicines to clients, didn’t reply to requests for remark. Cuban invested an undisclosed quantity in Truepill earlier in 2023.

Healthcare and prescription coupon large GoodRx depends on Truepill as its mail supply companion. GoodRx spokesperson Lauren Casparis didn’t reply to requests for remark.

information.killnetswitch discovered that Nutrisense, a tech startup that gives steady glucose displays by prescription, makes use of Truepill to satisfy some orders. Nutrisense chief government Alex Skryl didn’t reply to an e mail requesting remark.

The HIPAA connection

It’s not unusual for tech or healthcare corporations to share affected person knowledge with different corporations, reminiscent of third-party or specialty pharmacies, to satisfy their providers.

U.S. healthcare suppliers, like medical doctors workplaces and pharmacies, and insurance coverage corporations are topic to the well being privateness and security guidelines set out within the Well being Insurance coverage Portability and Accountability Act, or HIPAA, which partly governs how healthcare suppliers ought to correctly handle affected person knowledge security and privateness. Falling foul of HIPAA may end up in heavy fines.

However lots of telehealth startups should not thought-about “coated entities” below HIPAA, and HIPAA usually doesn’t apply, as a result of the startups themselves don’t present care, moderately they join sufferers with healthcare suppliers.

As Shopper Experiences notes, HIPAA “does lay out privateness guidelines for well being care suppliers and insurance coverage corporations to observe once they deal with personally identifiable medical knowledge,” however the identical piece of data protected at a physician’s workplace “will be completely unregulated in different settings.”

Each Hims and Cerebral observe of their privateness insurance policies that whereas state privateness legal guidelines could apply, HIPAA “doesn’t essentially apply to an entity or particular person just because there’s well being info concerned.” Firms saying they’re “HIPAA compliant” can imply that HIPAA doesn’t apply to them.

The U.S. doesn’t have a nationwide knowledge security or privateness regulation, and as an alternative depends on a patchwork of state legal guidelines that modify state-by-state. Most Individuals dwell in states which have little to no protections in opposition to the sharing of an individual’s info.

As a substitute, corporations often spell out how they deal with buyer or affected person knowledge of their privateness coverage, however should not obligated to reveal which particular corporations they work with.

The 2 individuals, who acquired data breach notification letters from Postmeds and spoke with us for this story, each criticized the businesses who issued their prescriptions for missing transparency about who their enterprise companions are and which of these companions would obtain their delicate private info.

“As soon as I received my first package deal and noticed ‘Truepill’ on the field from Folx, I spotted, admittedly late on my half, that my knowledge had been despatched off to a company that I personally hadn’t entered a belief relationship with,” the previous Folx person advised information.killnetswitch.

A number of threads on Reddit have feedback from individuals who acquired data breach notifications from Postmeds, however should not certain which firm provided Postmeds with their info.

“I simply received this letter and I don’t know which physician this might even be by,” mentioned one particular person. “Additionally acquired this letter. No data of the corporate,” mentioned one other.

The breach is the newest incident to befall the embattled Truepill.

Truepill underwent a number of rounds of layoffs in 2022, together with massive swaths of its product crew and all of its U.Okay. staff. In September, Truepill co-founder Sid Viswanathan was pushed out of the corporate.

Earlier this month, Truepill settled with the U.S. Drug Enforcement Administration claims that it illegally disbursed 1000’s of prescriptions for managed substances, by which Truepill “accepted accountability for working an unregistered on-line pharmacy.”