November 14, 2023 at 12:40PM
Truepill, a B2B pharmacy platform, has notified individuals of a data breach in which threat actors accessed sensitive personal information. The breach affects 2,364,359 people and includes data such as full names, medication types, demographic information, and names of prescribing physicians. Social Security numbers were not exposed. Multiple class action lawsuits are being prepared, alleging that Postmeds (Truepill) did not maintain adequate security measures and failed to encrypt sensitive data. Additionally, the delayed notification and lack of specific details in the notices are being criticized. The leaked data also includes addresses, dates of birth, medical treatment information, diagnosis information, and health insurance information.
Key takeaways from the meeting notes are as follows:
1. Truepill, a B2B-focused pharmacy platform, experienced a data breach where threat actors gained unauthorized access to sensitive personal information of 2,364,359 individuals.
2. The breach was discovered on August 31, 2023, but the attackers had gained access a day earlier.
3. Data accessed by the threat actors includes full names, medication types, demographic information, and names of prescribing physicians. Social Security numbers (SSNs) were not exposed.
4. The breach increases the risk of phishing and social engineering attacks.
5. Some recipients of the breach notices were surprised as they had never heard of Truepill and were unsure how their data ended up there.
6. Multiple class action lawsuits are being prepared against Postmeds (doing business as Truepill) for not maintaining adequate security measures and failing to encrypt sensitive healthcare information on its servers.
7. The delay in notifying affected individuals, which took more than two months, may also contribute to the legal consequences.
8. Some impacted individuals reported suspicious activity on their Venmo accounts and later discovered their personal data on the dark web.
9. Critics argue that the breach notices were too vague, lacking details about the intrusion, and did not provide sufficient guidance or identity theft protection services.
10. It was also revealed that the leaked data includes addresses, dates of birth, medical treatment information, diagnosis information, and health insurance information, which were not mentioned in the breach notice.