2.36 Million Impacted By Truepill Data breach

US, mail-order pharmacy provider Truepill is sending notification letters to more than 2.36 million individuals disclosing that their personal data has been compromised following a breach of its systems in late August.  

Truepill, also known as Postmeds, said data accessed by attackers who infiltrated network on August 30th included: 

  • Full names 
  • Demographic details 
  • Medication types 
  • Names of their prescribing physicians 

Truepill’s B2B-focused pharmacy platform uses APIs for direct-to-consumer healthcare brands’ order fulfillment and delivery services so some individuals receiving the notices had never heard of the company. 

The breach has prompted various class action lawsuits accusing Postmeds of providing incomplete information regarding the compromised data, failing to ensure the encryption of sensitive health data and delaying the company’s breach notification. 

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “Many healthcare organizations still rely on legacy systems and infrastructure that were not designed with modern cybersecurity practices in mind. API security today is of utmost importance, particularly in the context of mobile APIs, as these are often targeted by attackers due to their inherent vulnerabilities, widespread usage and wealth of sensitive data they can access.  While encryption is a basic aspect of API security for data storage, during transmission sensitive information must also remain secure even if intercepted by malicious actors. Strong encryption protocols such as HTTPS/TLS should be used to ensure the confidentiality and integrity of data exchanged between mobile devices and APIs. 

   “In addition to encryption, the use of secure short-lived tokens is an effective security practice. These tokens serve as access credentials and are typically issued for a limited duration. By using short-lived tokens, the window of opportunity for attackers to exploit stolen or compromised tokens is minimized. Regularly rotating these tokens further enhances security by reducing the potential impact of a token compromise. 

   “Implementing access controls and authorization mechanisms is another important aspect of API security. User credentials alone may not be sufficient to protect sensitive data. APIs should enforce granular access controls, ensuring that users or applications only have access to the specific resources and actions they require. This principle of least privilege helps limit the potential damage in case of a breach. By limiting the number of API requests that can be made within a specific time frame, these measures help safeguard the API infrastructure and protect businesses from costly data breaches like this one.”

Hopefully the class action lawsuits that have been filed teach this company and others a lesson. Which is that if you get pwned, you will pay one way or the other.

Leave a Reply

%d bloggers like this: