Healthcare startups scramble to assess fallout after Postmeds data breach hits millions of patients

More than two million people across the United States will receive notice that their personal and sensitive health information was stolen earlier this year during a cyberattack at Postmeds, the parent company of online pharmacy startup Truepill.

For some of those affected, it’s the first they’re hearing of Postmeds, let alone that the company lost their sensitive personal and health information during the data breach.

News of the data breach also appeared to catch off-guard healthcare startups that previously relied on Postmeds to fulfill their customers’ prescriptions.

Postmeds, or Truepill, is an online pharmacy fulfillment startup that fills prescriptions for big-name telehealth services and other pharmacies, and mails medications to their customers. Postmeds, through Truepill, has fulfilled prescriptions for customers of Folx, Hims, and GoodRx, and other popular online telehealth startups that have emerged in recent years.

Even if you’ve never heard of Postmeds, the company may have filled one of your prescriptions and handled your information. Truepill’s website says it has delivered 20 million prescriptions to three million people since its founding in 2016.

Postmeds recently told federal regulators in a legally required notice that 2.3 million individuals had their personal information stolen in the breach. The company began sending written notices to affected individuals in early November.

Data breach “presents a huge risk”

In its data breach notice, Postmeds said hackers stole a trove of sensitive data, including patient names and demographic information — such as dates of birth — the type of prescribed medications and the prescriber’s name. In some cases that information can infer the reason for taking the medication, which can include a person’s highly sensitive medical information, such as details about their mental, sexual, and reproductive health.

Some of those who received data breach notification letters told TechCrunch that they were unfamiliar with Postmeds and why the company had their information.

“Me and my partner also had overlapping times in which we were both patients with Folx, but I never got a letter,” a former Folx customer, whose partner received a data breach notification, told TechCrunch.

Folx Health is a telehealth company that caters for the LGBTQIA+ community, with clinicians who can prescribe medications that support gender-affirming care. Folx said it previously used Truepill to fulfill customer prescriptions.

When reached for comment by TechCrunch, Folx chief operating officer Dana Clayton told TechCrunch: “Folx terminated its relationship with Truepill in November of 2022. We are in touch with Truepill about the incident and are working to quickly assess any potential impact to our members.”

“Like other healthcare companies, we send prescriptions to a wide range of pharmacies based on member choice, medication availability, cost, and other factors. Folx takes its members’ privacy seriously and holds its partners to the strictest security standards,” said Clayton. “Truepill’s data breach has been a matter of considerable disappointment and concern for us, and Folx is committed to keeping our members informed as we learn more.”

The former Folx customer, who works in cybersecurity, told TechCrunch that the data breach “presents a huge risk, especially for a community that stands to lose so much more by having that data compromised.”

Postmeds has not publicly commented beyond its data breach notice. TechCrunch asked Postmeds chief executive Paul Greenall in an email to provide a list of companies that Postmeds partnered with whose customers are affected. Greenall did not respond.

Another person who received a data breach notification letter said they were prescribed a continuous glucose monitor a year or so ago by metabolic health startup Levels Health, which relies on Truepill for fulfilling its customers’ prescriptions for blood glucose monitors.

When contacted by TechCrunch, Levels would not say if its customers in the United States are affected by the Postmeds breach.

Kate Burton-Barlow, representing Levels via a third-party agency, said in an email that Levels “formerly established a relationship with Truepill in the U.K. in anticipation of a future U.K. launch, but that launch has not taken place, so Levels does not have any U.K. customers that this could have affected.”

TechCrunch contacted several healthcare companies that relied on Truepill to dispense and mail medications.

When reached for comment by TechCrunch, Hims spokesperson Khobi Brooklyn did not dispute that customer data was affected by the breach involving Truepill. The spokesperson would not say how many Hims customers are affected, but noted that not all of Hims customers had their prescriptions filled by Truepill.

“Customer care and data security are top priorities at Hims & Hers, we’ve invested heavily in both, and we’re proud of our record. While this wasn’t a breach of our systems or data, it’s a reminder to continue to stay vigilant around the steps we take to safeguard our customers,” Brooklyn said in a statement.

Telehealth startup Cerebral, which provides telehealth services and prescription medications for mental health conditions, told TechCrunch that it has not had a business relationship or shared patient information with Truepill since 2022. “To date, we have not seen any notification of a breach and we have no reason to believe that any Cerebral patient’s [protected health information] has been impermissibly disclosed or accessed,” Cerebral spokesperson Brittney Henderson said in an email. (Cerebral separately disclosed earlier this year that it had shared millions of patients’ data with advertisers for several years.)

Several other pharmacies who worked with Truepill did not comment when contacted by TechCrunch prior to publication.

CostPlus, the lower-cost online pharmacy founded by Mark Cuban, which relies on Truepill for shipping medications to customers, did not respond to requests for comment. Cuban invested an undisclosed amount in Truepill earlier in 2023.

Healthcare and prescription coupon giant GoodRx relies on Truepill as its mail delivery partner. GoodRx spokesperson Lauren Casparis did not respond to requests for comment.

TechCrunch learned that Nutrisense, a tech startup that provides continuous glucose monitors by prescription, uses Truepill to fulfill some orders. Nutrisense chief executive Alex Skryl did not respond to an email requesting comment.

The HIPAA connection

It’s not uncommon for tech or healthcare companies to share patient data with other companies, such as third-party or specialty pharmacies, to fulfill their services.

U.S. healthcare providers, like doctors offices and pharmacies, and insurance companies are subject to the health privacy and security rules set out in the Health Insurance Portability and Accountability Act, or HIPAA, which in part governs how healthcare providers should properly manage patient data security and privacy. Falling foul of HIPAA can result in heavy fines.

But a lot of telehealth startups are not considered “covered entities” under HIPAA, and HIPAA often does not apply, because the startups themselves do not provide care, rather they connect patients with healthcare providers.

As Consumer Reports notes, HIPAA “does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data,” but the same piece of information protected at a doctor’s office “can be totally unregulated in other settings.”

Both Hims and Cerebral note in their privacy policies that while state privacy laws may apply, HIPAA “does not necessarily apply to an entity or person simply because there is health information involved.” Companies saying they are “HIPAA compliant” can mean that HIPAA does not apply to them.

The U.S. does not have a national data security or privacy law, and instead relies on a patchwork of state laws that vary state-by-state. Most Americans live in states that have little to no protections against the sharing of a person’s information.

Instead, companies usually spell out how they handle customer or patient data in their privacy policy, but are not obligated to disclose which specific companies they work with.

The two people, who received data breach notification letters from Postmeds and spoke with us for this story, both criticized the companies who issued their prescriptions for lacking transparency about who their business partners are and which of those partners would receive their sensitive personal information.

“Once I got my first package and saw ‘Truepill’ on the box from Folx, I realized, admittedly late on my part, that my data had been sent off to an organization that I personally hadn’t entered a trust relationship with,” the former Folx user told TechCrunch.

Several threads on Reddit have comments from people who received data breach notifications from Postmeds, but are not sure which company supplied Postmeds with their information.

“I just got this letter and I have no idea which doctor this would even be through,” said one person. “Also received this letter. No knowledge of the company,” said another.

The breach is the latest incident to befall the embattled Truepill.

Truepill underwent several rounds of layoffs in 2022, including large swaths of its product team and all of its U.K. employees. In September, Truepill co-founder Sid Viswanathan was pushed out of the company.

Earlier this month, Truepill settled with the U.S. Drug Enforcement Administration claims that it illegally dispensed thousands of prescriptions for controlled substances, in which Truepill “accepted responsibility for operating an unregistered online pharmacy.”