Topics
Latest
AI
Amazon
Image Credits:Craig F. Walker / Boston Globe / Getty Images
Apps
Biotech & Health
mood
Image Credits:Craig F. Walker / Boston Globe / Getty Images
Cloud Computing
Commerce
Crypto
initiative
EVs
Fintech
Fundraising
gismo
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
concealment
Robotics
security measures
Social
infinite
startup
TikTok
transferral
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
More than 2 million people across the United States will receive notice that their personal and sensitive wellness information was stolen before this year during a cyberattack at Postmeds , the parent caller of online pharmacy startup Truepill .
For some of those affected , it ’s the first they ’re hearing of Postmeds , let alone thatthe fellowship lose their sore personal and health informationduring the data falling out .
News of the datum rupture also appear to surprise healthcare startups that antecedently bank on Postmeds to accomplish their customers ’ prescriptions .
Postmeds , or Truepill , is an on-line drugstore fulfilment startup thatfills prescription for large - name telehealth avail and other pharmaciesand mail medications to their customers . Postmeds , through Truepill , has fulfilled prescriptions for customers ofFolx , Hims , andGoodRx , andother popular on-line telehealth startupsthat have emerged in recent year .
Even if you ’ve never heard of Postmeds , the troupe may have occupy one of your prescription and handled your information . Truepill ’s site says it has extradite 20 million prescriptions to 3 million mass since its initiation in 2016 .
Postmeds recently say federal regulators in a lawfully required poster that 2.3 million individuals had their personal information steal in the falling out . The company set out sending written notices to touch on individuals in other November .
Data breach “presents a huge risk”
In itsdata breach notice , Postmeds say hacker stole a treasure trove of sensitive data , including affected role names and demographic info ( such as dates of birth ) , the character of positive medications , and the prescriber ’s name . In some cases that information can infer the reason for get the medication , which can include a soul ’s extremely tender medical information , such as detail about their genial , sexual , and reproductive wellness .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Some of those who receive data severance notice letters distinguish TechCrunch that they were unfamiliar with Postmeds and why the company had their information .
“ Me and my collaborator also had overlap times in which we were both patients with Folx , but I never have a letter , ” a former Folx customer , whose mate find a data breach notification , told TechCrunch .
Folx Health isa telehealth company that caters to the LGBTQIA+ community , with clinicians who can dictate medications that support sexuality - affirming charge . Folx say it previously used Truepill to fulfill client prescriptions .
When reached for comment by TechCrunch , Folx main operating ship’s officer Dana Clayton said : “ Folx give the axe its family relationship with Truepill in November of 2022 . We are in touch with Truepill about the incident and are working to quickly assess any potential impingement to our member . ”
“ Like other health care company , we send prescription drug to a broad reach of drugstore base on member option , medicinal drug availability , cost , and other factor . Folx takes its member ’ seclusion seriously and holds its pardner to the strictest surety standard , ” said Clayton . “ Truepill ’s data rupture has been a subject of considerable disappointment and business for us , and Folx is committed to observe our members informed as we learn more . ”
The former Folx client , who works in cybersecurity , say TechCrunch that the datum rupture “ presents a huge risk of exposure , specially for a community that stands to suffer so much more by having that data compromise . ”
Postmeds has not publicly point out beyond its data breach notice . TechCrunch asked Postmeds chief executive Paul Greenall in an email to provide a list of company that Postmeds partnered with whose customers are affect . Greenall did not react .
Another someone who received a data breach apprisal letter said they were prescribed a continuous glucose monitor a yr or so ago bymetabolic health startup Levels , which bank on Truepill for fulfil its customers ’ prescriptions for descent glucose monitors .
When contacted by TechCrunch , Levels would not say if its customers in the United States are bear on by the Postmeds severance .
Kate Burton - Barlow , representing Levels via a third - company delegacy , say in an email that Levels “ formerly give a relationship with Truepill in the U.K. in anticipation of a succeeding U.K. launching , but that launch has not film place , so Levels does not have any U.K. customer that this could have affected . ”
TechCrunch reach several healthcare fellowship that trust on Truepill to deal out and ring mail medications .
When reached for commentary by TechCrunch , Hims & Hers voice Khobi Brooklyn did not dispute that client information was affect by the rupture involving Truepill . The spokesperson would not say how many Hims & Hers customers are affected , but note that not all of their customers had their prescription drug fill up by Truepill .
“ Customer care and data security system are top antecedence at Hims & Hers , we ’ve invest intemperately in both , and we ’re proud of our record . While this was n’t a breach of our system of rules or datum , it ’s a reminder to uphold to stick vigilant around the steps we take to safeguard our client , ” Brooklyn said in a affirmation .
Telehealth startup Cerebral , which providestelehealth servicing and prescription medicine medicationsfor mental wellness conditions , recount TechCrunch that it has not had a business family relationship or share patient information with Truepill since 2022 . “ To date , we have not witness any presentment of a rupture and we have no reasonableness to conceive that any Cerebral patient ’s [ protected wellness information ] has been impermissibly disclosed or accessed , ” Cerebral spokesperson Brittney Henderson say in an email . ( Cerebral separately disclosed earlier this yr that it hadshared millions of affected role ’ information with advertisersfor several geezerhood . )
Several other pharmacies who worked with Truepill did not comment when contacted by TechCrunch prior to publication .
price Plus , thelower - cost on-line drugstore founded by Mark Cuban , which relies on Truepill for shipping medications to customers , did not respond to requests for input . Cubaninvested an undisclosed amount in Truepillearlier in 2023 .
Healthcare and prescription medicine coupon giant GoodRxrelies on Truepill as its mail manner of speaking partner . GoodRx spokesperson Lauren Casparis did not react to requests for comment .
TechCrunch study that Nutrisense , a technical school startup thatprovides continuous glucose monitors by prescription , apply Truepill to fulfill some orders . Nutrisense chief executive Alex Skryl did not respond to an email requesting comment .
The HIPAA connection
It ’s not uncommon for technical school or healthcare companies to share patient data point with other companies , such as third - company or strong point pharmacy , to fulfill their servicing .
U.S. healthcare providers , like doctors offices and pharmacies , and insurance companies aresubject to the health concealment and certificate rulesset out in the Health Insurance Portability and Accountability Act ( HIPAA ) , which in part govern how health care providers should decent manage patient data surety and seclusion . Falling foetid of HIPAA can lead in heavy amercement .
But a lot of telehealth startups are not considered “ hatch entity ” under HIPAA , and HIPAA often does not apply , because the startups themselves do not allow tending ; rather they tie in patients with healthcare supplier .
As Consumer Reports notes , HIPAA “ does dwell out privateness rule for health care providers and insurance company to be when they handle personally identifiable aesculapian data , ” but the same composition of information protected at a Dr. ’s federal agency “ can be totally unregulated in other configurations . ”
Both Hims & Hers and Cerebral note in their privateness policies that while state privacy laws may practice , HIPAA “ does not necessarily apply to an entity or soul simply because there is health info involved . ” Companies saying they are “ HIPAA compliant ” can intend that HIPAA does not apply to them .
TheU.S. does not have a national data security or secrecy natural law , and instead relies on a patchwork quilt of state laws that diverge state by state . Most Americans live in states that have little to no protections against the sharing of a person ’s information .
Instead , companies usually spell out how they deal customer or patient datain their seclusion insurance , but are not obligated to disclose which specific companies they bring with .
The two multitude , who have data rupture notification letters from Postmeds and speak with us for this floor , both criticized the company that issued their prescription drug for lacking transparency about who their occupation partners are and which of those partners would receive their sensitive personal entropy .
“ Once I get under one’s skin my first package and saw ‘ Truepill ’ on the box from Folx , I realize , admittedly of late on my part , that my data had been sent off to an organization that I in person had n’t entered a reliance relationship with , ” the former Folx substance abuser told TechCrunch .
“ I just got this letter and I have no theme which doctor this would even be through , ” say one person . “ Also received this varsity letter . No cognition of the company , ” pronounce another .
The break is the later incident to befall the embattled Truepill .
Truepill underwentseveral round of layoffsin 2022 , includinglarge belt of its production team and all of its U.K. employees . In August , Truepill co - founding father Sid Viswanathan waspushed out of the society .
Earlier this month , Truepill settle with the U.S. Drug Enforcement Administration ’s claim that itillegally dispensed chiliad of prescriptions for controlled core , in which Truepill “ go for duty for operating an unregistered online pharmacy . ”
Do you function at a healthcare organisation that is sham by the Postmeds / Truepill breach ? you’re able to contact Zack Whittaker on Signal and WhatsApp at +1 646 - 755 - 8849 orby electronic mail ; you’re able to also contact Carly Page firmly on Signal at +441536 853968 or byemail . you could also get through TechCrunch viaSecureDrop .
Digital pharmacy startup Truepill aver hackers access sore data of 2.3 million patients
