Healthcare startups scramble to assess fallout after Postmeds data breach hits millions of patients | TechCrunch

More than two million individuals throughout the United States will obtain discover that their private and delicate well being info was stolen earlier this yr throughout a cyberattack at Postmeds, the father or mother firm of on-line pharmacy startup Truepill.

For some of these affected, it’s the primary they’re listening to of Postmeds, not to mention that the company lost their sensitive personal and health information through the data breach.

News of the data breach additionally appeared to catch off-guard healthcare startups that beforehand relied on Postmeds to fulfill their clients’ prescriptions.

Postmeds, or Truepill, is an internet pharmacy achievement startup that fills prescriptions for big-name telehealth services and other pharmacies, and mails drugs to their clients. Postmeds, by Truepill, has fulfilled prescriptions for patrons of Folx, Hims, and GoodRx, and other popular online telehealth startups which have emerged in recent times.

Even when you’ve by no means heard of Postmeds, the corporate might have crammed one of your prescriptions and dealt with your info. Truepill’s web site says it has delivered 20 million prescriptions to three million individuals since its founding in 2016.

Postmeds lately informed federal regulators in a legally required discover that 2.3 million people had their private info stolen within the breach. The firm started sending written notices to affected people in early November.

Data breach “presents a huge risk”

In its data breach notice, Postmeds mentioned hackers stole a trove of delicate data, together with affected person names and demographic info — akin to dates of beginning — the kind of prescribed drugs and the prescriber’s identify. In some instances that info can infer the rationale for taking the treatment, which might embody an individual’s extremely delicate medical info, akin to particulars about their psychological, sexual, and reproductive well being.

Some of those that obtained data breach notification letters informed TechCrunch that they have been unfamiliar with Postmeds and why the corporate had their info.

“Me and my partner also had overlapping times in which we were both patients with Folx, but I never got a letter,” a former Folx buyer, whose companion obtained a data breach notification, informed TechCrunch.

Folx Health is a telehealth company that caters for the LGBTQIA+ community, with clinicians who can prescribe drugs that assist gender-affirming care. Folx mentioned it beforehand used Truepill to fulfill buyer prescriptions.

When reached for remark by TechCrunch, Folx chief working officer Dana Clayton informed TechCrunch: “Folx terminated its relationship with Truepill in November of 2022. We are in touch with Truepill about the incident and are working to quickly assess any potential impact to our members.”

“Like other healthcare companies, we send prescriptions to a wide range of pharmacies based on member choice, medication availability, cost, and other factors. Folx takes its members’ privacy seriously and holds its partners to the strictest security standards,” mentioned Clayton. “Truepill’s data breach has been a matter of considerable disappointment and concern for us, and Folx is committed to keeping our members informed as we learn more.”

The former Folx buyer, who works in cybersecurity, informed TechCrunch that the data breach “presents a huge risk, especially for a community that stands to lose so much more by having that data compromised.”

Postmeds has not publicly commented past its data breach discover. TechCrunch requested Postmeds chief government Paul Greenall in an e mail to present an inventory of corporations that Postmeds partnered with whose clients are affected. Greenall didn’t reply.

Another one that obtained a data breach notification letter mentioned they have been prescribed a steady glucose monitor a yr or so in the past by metabolic health startup Levels Health, which depends on Truepill for fulfilling its clients’ prescriptions for blood glucose screens.

When contacted by TechCrunch, Levels wouldn’t say if its clients within the United States are affected by the Postmeds breach.

Kate Burton-Barlow, representing Levels through a third-party company, mentioned in an e mail that Levels “formerly established a relationship with Truepill in the U.K. in anticipation of a future U.K. launch, but that launch has not taken place, so Levels does not have any U.K. customers that this could have affected.”

TechCrunch contacted a number of healthcare corporations that relied on Truepill to dispense and mail drugs.

When reached for remark by TechCrunch, Hims spokesperson Khobi Brooklyn didn’t dispute that buyer data was affected by the breach involving Truepill. The spokesperson wouldn’t say what number of Hims clients are affected, however famous that not all of Hims clients had their prescriptions crammed by Truepill.

“Customer care and data security are top priorities at Hims & Hers, we’ve invested heavily in both, and we’re proud of our record. While this wasn’t a breach of our systems or data, it’s a reminder to continue to stay vigilant around the steps we take to safeguard our customers,” Brooklyn mentioned in a press release.

Telehealth startup Cerebral, which gives telehealth services and prescription medications for psychological well being circumstances, informed TechCrunch that it has not had a enterprise relationship or shared affected person info with Truepill since 2022. “To date, we have not seen any notification of a breach and we have no reason to believe that any Cerebral patient’s [protected health information] has been impermissibly disclosed or accessed,” Cerebral spokesperson Brittney Henderson mentioned in an e mail. (Cerebral individually disclosed earlier this yr that it had shared millions of patients’ data with advertisers for a number of years.)

Several different pharmacies who labored with Truepill didn’t remark when contacted by TechCrunch prior to publication.

CostPlus, the lower-cost online pharmacy founded by Mark Cuban, which depends on Truepill for delivery drugs to clients, didn’t reply to requests for remark. Cuban invested an undisclosed amount in Truepill earlier in 2023.

Healthcare and prescription coupon big GoodRx relies on Truepill as its mail delivery partner. GoodRx spokesperson Lauren Casparis didn’t reply to requests for remark.

TechCrunch discovered that Nutrisense, a tech startup that provides continuous glucose monitors by prescription, makes use of Truepill to fulfill some orders. Nutrisense chief government Alex Skryl didn’t reply to an e mail requesting remark.

The HIPAA connection

It’s not unusual for tech or healthcare corporations to share affected person data with different corporations, akin to third-party or specialty pharmacies, to fulfill their companies.

U.S. healthcare suppliers, like docs workplaces and pharmacies, and insurance coverage corporations are subject to the health privacy and security rules set out within the Health Insurance Portability and Accountability Act, or HIPAA, which partly governs how healthcare suppliers ought to correctly handle affected person data safety and privateness. Falling foul of HIPAA may end up in heavy fines.

But quite a bit of telehealth startups usually are not thought-about “covered entities” beneath HIPAA, and HIPAA typically doesn’t apply, as a result of the startups themselves don’t present care, moderately they join patients with healthcare suppliers.

As Consumer Reports notes, HIPAA “does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data,” however the identical piece of info protected at a health care provider’s workplace “can be totally unregulated in other settings.”

Both Hims and Cerebral notice of their privateness insurance policies that whereas state privateness legal guidelines might apply, HIPAA “does not necessarily apply to an entity or person simply because there is health information involved.” Companies saying they’re “HIPAA compliant” can imply that HIPAA doesn’t apply to them.

The U.S. does not have a national data security or privacy law, and as a substitute depends on a patchwork of state legal guidelines that change state-by-state. Most Americans stay in states which have little to no protections towards the sharing of an individual’s info.

Instead, corporations normally spell out how they deal with buyer or affected person data in their privacy policy, however usually are not obligated to disclose which particular corporations they work with.

The two individuals, who obtained data breach notification letters from Postmeds and spoke with us for this story, each criticized the businesses who issued their prescriptions for missing transparency about who their enterprise companions are and which of these companions would obtain their delicate private info.

“Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with,” the previous Folx person informed TechCrunch.

Several threads on Reddit have feedback from individuals who obtained data breach notifications from Postmeds, however usually are not positive which firm provided Postmeds with their info.

“I just got this letter and I have no idea which doctor this would even be through,” mentioned one individual. “Also received this letter. No knowledge of the company,” mentioned one other.

The breach is the most recent incident to befall the embattled Truepill.

Truepill underwent several rounds of layoffs in 2022, together with large swaths of its product team and all of its U.K. employees. In September, Truepill co-founder Sid Viswanathan was pushed out of the company.

Earlier this month, Truepill settled with the U.S. Drug Enforcement Administration claims that it illegally dispensed thousands of prescriptions for controlled substances, wherein Truepill “accepted responsibility for operating an unregistered online pharmacy.”