Company Behind Truepill Failed to Protect Patient Data from Cyberattack, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims PostMeds, the company behind online pharmacy Truepill, is to blame for a cyberattack announced in October 2023 that compromised the personal data of current and former customers.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 58-page lawsuit says the California-based healthcare company, which provides online pharmacy delivery services to consumers nationwide, first discovered on August 31, 2023 that an unauthorized third party had gained access to certain files used for pharmacy management and prescription fulfillment services. A subsequent investigation revealed that the threat actor had perpetrated the attack between August 30 and September 1 of this year, the suit relays.

Per the case, the information compromised in the breach may have included individuals’ names, medication types, demographic information and prescribing physicians.

The complaint argues that the “foreseeable and preventable” cyberattack was a direct result of the defendant’s failure to implement adequate data security measures to safeguard customer information. The online pharmacy purportedly stored the unencrypted data in a “dangerous” and “vulnerable” condition in its network, the filing charges.

The lawsuit also takes issue with the allegedly untimely and insufficient notification of data breach victims. PostMeds’ notice letter, which was sent to affected individuals about two months after the company reportedly detected the incident, failed to explain how cybercriminals gained access to the system, what specific demographic information was exposed and what steps are being taken to secure customer data in the future, the suit contends.

The plaintiff, a West Virginia resident and current customer, received notice on October 30 informing him that his private information had been compromised in the breach, the case says. The man claims that following the incident, he has experienced “suspicious activity” on his Venmo account and learned from multiple credit monitoring agencies that his personal data was posted on the dark web.

“Had [the defendant] remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field, it could have prevented intrusion into its information storage and security systems and, ultimately, the theft of [the plaintiff’s] and class members’ confidential private information,” the complaint charges.

As a result of the company’s alleged negligence, victims like the plaintiff now face an ongoing risk of identity theft, fraud and other illegal misuse of their personal data, the filing asserts.

The lawsuit looks to represent anyone in the United States whose private information was compromised in the data breach announced by PostMeds in October 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.