Truepill data breach exposed sensitive information belonging to 2,364,359 people and risks multiple lawsuits.
The B2B-focused pharmacy platform discovered the incident on August 31, 2023. They promptly launched an investigation and took additional security measures to contain the incident.
However, they only began notifying the impacted people on October 30th.
The Truepill Data Breach Impact
After gaining unauthorized access, threat actors exfiltrated a series of sensitive data:
- Customer`s full name
- Medication type
- Demographic information
- Name of the prescribing physician
Although Social Security Numbers weren`t exposed – Truepill doesn`t collect that data – hackers still have enough details for social engineering campaigns. Identity theft and phishing campaigns are also a possibility.
In the notice, the company advised the affected customers to
regularly review their information for accuracy, as a best practice, including information they receive from their health care providers.
Source – Truepill notice
Why Do Customers Sue Truepill
Customers accuse Truepill of negligence and failure to comply with federal regulations. Reportedly, they already filed six proposed federal class action lawsuits against the pharmacy platform.
California’s data breach notification law requires organizations that collect personal data to notify impacted people if a data breach occurs.
Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Source – IT Governance USA
Customers claim Truepill handled their private data improperly and notified them too late regarding the data breach. Indeed, Truepill didn`t encrypt the healthcare information they stored on the servers. Additionally, it took the company two months from the moment they discovered the breach to warn the affected people.