A virtual pharmacy and mail-order prescription drug firm is notifying about 2.36 million patients of a hacking incident that compromised their sensitive information. In the past week, attorneys have filed at least six proposed federal class action lawsuits related to the breach.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

Hayward, California-based Postmeds, which operates under the name Truepill, reported the data breach to federal regulators on Oct. 30. The company said in a breach notice that it had discovered on Aug. 30 that “bad actors” gained access to a subset of files used for pharmacy management and fulfillment services.

Truepill said it had worked with cybersecurity experts to quickly secure its IT environment, but its investigation determined that attackers had accessed the files over three days, between Aug. 30 and Sept. 1.

The compromised files contained patient names, medication type, demographic information and/or prescribing physician name. Social Security numbers were not affected since the company does not receive this information, Truepill said.

To help prevent future similar incidents, Truepill said it is enhancing its security protocols and technical safeguards and providing additional cybersecurity awareness training to its employees.

As of Tuesday, at least six proposed federal class action lawsuits have been filed against Truepill in the U.S. District Court for the Northern District of California. They all allege similar claims, including negligence and failure by Truepill to comply with federal regulations, including HIPAA and the Federal Trade Commission Act, as well as California state privacy laws, in protecting patients’ sensitive personal and medical information.

Similar to the claims in the other five lawsuits, the complaint filed on Nov. 10 by plaintiff Christopher Williams on behalf of himself and others similar situated, alleges that Williams suffered concrete harm, including the unauthorized disclosure of his private health information to third parties; the imminent risk of fraud and identity theft; and privacy violations of his highly sensitive medical information.

Williams’ litigation and the other lawsuits all seek similar relief – including financial damages and an injunctive ordering requiring “substantial improvements” to Truepill’s data security systems.

Truepill did not immediately respond to Information Security Media Group’s request for comment and for additional details about its cybersecurity incident.

Rich Targets

Cybercriminals also have targeted other online, mail-order and specialty pharmacies. The Department of Health and Human Services HIPAA Breach Reporting Tool website shows at least a half-dozen major health data breaches so far this year involving pharmacy firms, in addition to the Truepill incident.

The largest of those incidents so far this year is a hack reported to HHS’ Office for Civil Rights in May by PharMerica Corp. as affecting nearly 6 million individuals. The Kentucky-based company, which provides pharmacy services to long-term care, senior living, home infusion, specialty pharmacy, and hospital management programs, was the apparent victim of a ransomware attack by cybercriminal gang Money Message (see: PharMerica Reports Breach Affecting Nearly 6 Million People).

Pharmacies are an attractive target for cybercriminals because they are at the confluence of storing and processing valuable data, said Mike Hamilton, CISO and founder of security firm Critical Insight.

“Although it does not – yet – appear that credit card or other financial information was disclosed by Truepill, that may have been the ultimate goal of the threat actor,” he said.

Online and mail-order pharmacies, such as Truepill, have a technology footprint that is specific to financial transactions, as well as an interface to protected health information, Hamilton said.

“This combination has numerous avenues for vulnerability and misconfiguration exploit. The internet-facing website or mobile app, the processing of credit card and other financial information, and the acquisition, storage and verification of PHI all constitute separate technologies, each of which is potentially vulnerable to compromise.”

Hamilton said that pharmacies not only face threats involving the privacy of protected health information that they handle, but also the integrity of that data and potential safety concerns for patients.

“If an actor can access and exfiltrate data, that actor has sufficient access to modify the data,” he said. “Ultimately, records should be reviewed and reauthorized as accurate by customers and/or compared to records in backup.”

Hamilton said pharmacies should perform file integrity monitoring, such as that required by the Payment Card Industry Data Security Standard – and apply it to patients’ PHI as well as their cardholder data operations.