If you are in a hurry -> Lessons & Best Practices for CISOs

Introduction

Between August 30 and September 1, 2023, PostMeds, Inc. (d/b/a Truepill, an online pharmacy) suffered a major cyberattack.

In a notice to customers, PostMeds confirmed a “bad actor” accessed pharmacy-management files containing sensitive customer data (names, medications, some demographics and prescribing physicians) for over 2.3 million patients (Digital pharmacy startup Truepill data breach hits 2.3M users).

The California Attorney General’s data breach portal lists the incident exactly from 8/30/2023 to 9/1/2023 (with notice mailed on 10/30/2023) (Search Data Security Breaches | State of California - Department of Justice - Office of the Attorney General).

Affected customers began receiving breach letters in late October 2023.

By November 2023, multiple class-action lawsuits were filed in federal court (e.g. Richard Reed v. PostMeds, Inc. and Rossi v. PostMeds, Inc.) alleging PostMeds negligently failed to protect patient data (Digital pharmacy startup Truepill data breach hits 2.3M users) (Rossi et al v. PostMeds, Inc. 4:2023cv05732 | U.S. District Court for the Northern District of California | Justia).

The breach quickly drew legal action.

As Fierce Healthcare reported, plaintiffs claim the unauthorized access exposed personal and health data, placing customers at “significant risk of identity theft and other forms of…harm, and that the elevated risks will be present for a lifetime” (Digital pharmacy startup Truepill data breach hits 2.3M users).

Firms like Schubert Jonckheer & Kolbe LLP opened investigations, noting that Truepill did not disclose how the breach occurred (Digital pharmacy startup Truepill data breach hits 2.3M users).

PostMeds affirmed it launched an immediate investigation and “enhancing [its] security protocols…with additional employee training” to prevent a recurrence (Digital pharmacy startup Truepill data breach hits 2.3M users).

Legal Claims and Class Actions

Plaintiffs in the class actions (individual Truepill customers like Richard Reed, John Rossi, Michael Thomas, Marissa Porter, et al.

(Rossi et al v. PostMeds, Inc. 4:2023cv05732 | U.S. District Court for the Northern District of California | Justia)) allege a range of claims arising from PostMeds’ security failures.

The class complaint outlines counts for:

(i) negligence (failure to use reasonable security measures and timely detect or notify of the breach) (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710),

(ii) breach of implied contract (PostMeds’ promises to protect and ultimately delete customer data once no longer needed) (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710),

(iii) unjust enrichment (PostMeds retained the benefit of customer data without safeguarding it) (Reed v. PostMeds, Inc. - 3:23-cv-05710), and

(iv) violation of California’s Unfair Competition Law (Cal. Bus. & Prof. Code §17200, treating security failings as unlawful/unfair business practices) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

In the negligence count, plaintiffs even invoke the FTC Act (15 U.S.C. §45) and HIPAA’s security rules as establishing duties to “reasonably protect” confidential data (Reed v. PostMeds, Inc. - 3:23-cv-05710).

While HIPAA itself lacks a private cause of action, the complaint uses it (and industry standards) to define the duty of care.

In short, plaintiffs allege PostMeds required customers to submit private health information (PHI) to obtain pharmacy services, promised to protect it, but then failed.

The complaint details that PostMeds collected names, demographic info and PHI under the expectation of confidentiality, and then (through the breach) failed to prevent unauthorized access (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

The UCL claim calls these failures “unlawful, unfair, and deceptive” practices – e.g. not fixing known security risks, misrepresenting privacy safeguards, and violating public policy (FTC Act, California privacy laws) (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

Plaintiffs seek statutory and actual damages for injuries like identity theft, financial losses, and the costs of credit monitoring, as well as injunctive relief (e.g. ordering better security practices).

Settlement Details and Relief

In late 2024, PostMeds agreed to a $7.5 million class-action settlement to resolve these claims (PostMeds to Pay $7.5 Million to Settle Data Breach Class Action) ($7.5 Million Truepill Settlement Resolves PostMeds Data Breach Lawsuit).

Under the deal (preliminarily approved Nov. 26, 2024), more than 2 million U.S. residents who received breach notices are eligible to file claims ($7.5 Million Truepill Settlement Resolves PostMeds Data Breach Lawsuit).

Claimants can receive up to $4,000 each to reimburse out-of-pocket losses (fraud costs, credit monitoring, etc.) caused by the breach (Ground News) ($7.5 Million Truepill Settlement Resolves PostMeds Data Breach Lawsuit).

In addition, they can claim either a pro-rata cash award or up to one year of paid identity-protection services.

Class members filing valid claims will see payments ranging roughly $45–$240 per person (after deductions) ($7.5 Million Truepill Settlement Resolves PostMeds Data Breach Lawsuit).

Importantly, the settlement is “without any admission of wrongdoing” by PostMeds (Rossi et al v. PostMeds, Inc. 4:2023cv05732 | U.S. District Court for the Northern District of California | Justia) (PostMeds to Pay $7.5 Million to Settle Data Breach Class Action), as is typical. Judge Haywood Gilliam (ND Cal) granted preliminary approval, noting the deal resolves the pending consumer claims.

Once final court approval is granted (and appeals resolved), funds will be distributed and paid to eligible claimants under the settlement terms.

A dedicated TruePill Settlement website provides forms and FAQ for affected customers.

(Individuals who filed timely notice or are in the defined class should claim via that site by the deadline.)

Technical Failures Cited

While PostMeds’ notice said it “secured its IT environment,” the lawsuits paint a picture of systemic lapses.

The complaint alleges fundamental security oversights common in breach cases: inadequate network and email safeguards, insufficient monitoring, delayed breach detection, and failure to promptly notify (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

In particular, plaintiffs claim PostMeds did not maintain “reasonable security procedures” – for example, it allegedly failed to adopt encryption and multi-factor controls, did not segment its networks to limit attacker movement, and allowed unrestricted access to sensitive files (Data Breach Response: A Guide for Business | Federal Trade Commission) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

(FTC guidance recommends checking network segmentation and encryption after a breach (Data Breach Response: A Guide for Business | Federal Trade Commission).)

The class complaint also notes industry norms (referencing the FTC Act and HIPAA) that PostMeds was on notice to safeguard PHI.

The suit details that PostMeds collected “protected health information” as defined by HIPAA, yet still suffered a breach.

Plaintiffs argue the breach was foreseeable – healthcare IT systems are frequent targets – and that PostMeds had a duty to fix known vulnerabilities.

While the company hasn’t publicly explained the root cause, the allegations imply typical vectors: unpatched systems or compromised credentials allowing the hacker to grab unencrypted files. (Good practice would be full-disk and database encryption, which HIPAA encourages.)

In sum, plaintiffs’ technical claims center on failure to implement basic security controls.

They emphasize that all the breached data – patient names, medications and health info – is inherently sensitive and “impossible to ‘close’ or change” (Reed v. PostMeds, Inc. - 3:23-cv-05710).

The complaint lists explicit failures: not monitoring their networks, not maintaining adequate email or firewall defenses, and not detecting the breach promptly (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

Had PostMeds employed measures like the Center for Internet Security (CIS) Controls (the California AG later called these “the minimum level of information security” for data holders) (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor), many of these alleged lapses might have been addressed in advance.

Lessons & Best Practices for CISOs

This case underscores key lessons for security leaders. First, implement and test an incident response plan – the speed of discovery and notification is now a central focus in breach litigation.

As Troutman Sanders warned, “[t]he focus is on how [companies] respond to the incident – with timing being a key component” (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor).

CISOs should routinely simulate breaches, verify that detection and escalation processes work, and ensure legal/notification experts are looped in so customers are informed promptly as required by law (sometimes within days).

Prompt action not only mitigates harm, it can reduce exposure to statutory damages under laws like California’s CCPA.

Second, establish a “reasonable security” baseline aligned with industry standards.

The California AG has equated “reasonable security procedures” with implementing the full set of CIS Top 20 Controls (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor).

These include essentials like inventorying assets, applying security patches, restricting administrative privileges, and conducting regular vulnerability scans.

In practice, this means using strong encryption for data at rest and in transit, enforcing multi-factor authentication (especially for remote/admin access), and isolating critical systems via network segmentation (Data Breach Response: A Guide for Business | Federal Trade Commission).

FTC guidance also highlights segmentation: an effective design can contain a breach so one compromised server doesn’t expose all data (Data Breach Response: A Guide for Business | Federal Trade Commission).

Third, maintain clear, accurate data-handling policies and disclosures.

If your service requires collecting personal/health data, customers must know how you protect it.

Any privacy notice or consent should reflect actual practices – gratuitous “we protect your data” promises may later become a legal trap if breached.

PostMeds’ case shows plaintiffs will point to any written commitment and allege it was broken (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710).

Similarly, only retain data as long as needed: the complaint specifically mentions PostMeds’ purported obligation to delete data “once no longer necessary” for treatment, which it failed to satisfy (Reed v. PostMeds, Inc. - 3:23-cv-05710).

Data minimization and timely deletion/archival of old records reduce liability.

Fourth, invest in detection and monitoring. The breach went undetected for a critical period – plaintiffs say PostMeds did not “detect in a timely manner” that data had been stolen (Reed v. PostMeds, Inc. - 3:23-cv-05710).

Modern security stacks (SIEM, intrusion detection, anomaly analytics) can alert teams to unusual data access. Log all access to PHI and review logs regularly.

In the event of compromise, forensic analysis (as FTC recommends) should check if encryption was enabled and who had access at the breach time (Data Breach Response: A Guide for Business | Federal Trade Commission).

This information is vital both for containment and to demonstrate to regulators/courts that due care was taken.

Fifth, train employees and third parties. PostMeds said it would boost employee cybersecurity training after the fact (Digital pharmacy startup Truepill data breach hits 2.3M users).

Proactive security awareness – phishing exercises, credential handling protocols, least-privilege administration – can prevent many breaches.

Similarly, if any vendors or cloud services store patient data, ensure they meet strict security standards.

FTC guidance advises auditing service providers after a breach to verify they fixed vulnerabilities (Data Breach Response: A Guide for Business | Federal Trade Commission).

Finally, have cyber insurance and legal readiness. While prevention is paramount, CISOs should work with legal teams to understand data breach laws (HIPAA, FTC rules, state breach-notification statutes) to ensure full compliance.

The FTC Breach Response Guide and HIPAA’s breach notification rule both outline required actions.

Offering credit monitoring to victims, as FTC suggests, is wise (PostMeds’ settlement provides one year of monitoring as an option). And yes, consider arbitration clauses in user agreements to mitigate class risks where feasible, though this must be weighed against practicality.

Key Takeaway: The PostMeds/Truepill incident illustrates that healthcare data is a high-value target and regulatory expectations are high.

CISOs must enforce layered security controls (encryption, MFA, segmentation, monitoring), rigorously test response plans, and back up promises with proof.

Maintaining reasonable, documentable safeguards – for example by following the CIS Controls and HIPAA requirements – is the best strategy to protect patients and to defend against future lawsuits (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor).

Sources:  News reports and filings on the PostMeds (Truepill) data breach and settlement (PostMeds to Pay $7.5 Million to Settle Data Breach Class Action) (Ground News) ($7.5 Million Truepill Settlement Resolves PostMeds Data Breach Lawsuit) (Digital pharmacy startup Truepill data breach hits 2.3M users) (Digital pharmacy startup Truepill data breach hits 2.3M users) (Rossi et al v. PostMeds, Inc. 4:2023cv05732 | U.S. District Court for the Northern District of California | Justia); California AG data breach notice registry (Search Data Security Breaches | State of California - Department of Justice - Office of the Attorney General); class action complaint details (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710) (Reed v. PostMeds, Inc. - 3:23-cv-05710); FTC guidance on breach response (Data Breach Response: A Guide for Business | Federal Trade Commission); and cybersecurity best-practice commentary (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor) (Avoid Becoming a Target of Privacy and Data Breach Class Action Lawsuits | Consumer Financial Services Law Monitor).