Truepill, a digital health startup that provides pharmacy fulfillment services for healthcare organizations, has confirmed that hackers accessed the personal data of more than 2.3 million patients.
In a data breach notice published on its website, the company says Postmeds, the parent company behind TruePill, experienced a “cybersecurity incident” that allowed unnamed attackers to gain access to files used for pharmacy management and fulfillment services between August 30 and September 1.
Get in touch
Do you have more information about the Truepill data breach? You can contact Carly Page securely on Signal at +441536 853968 or by email. You can also contact TechCrunch via SecureDrop.
The company’s investigation found that the accessed files contained sensitive customer information, including patient names, unspecified demographic information, medication type and the name of the patient’s prescribing physician. Truepill said Social Security numbers were not involved, as the company does not receive this information.
Truepill confirmed 2.3 million patients were affected according to a required legal filing submitted to the U.S. Department of Health and Human Services’ data breach reporting portal. Truepill’s website says the company has served more than three million patients and delivered 20 million prescriptions since it was founded in 2016.
Truepill said it was enhancing its security protocols and rolling out additional cybersecurity training for employees. The company did not say how its systems were compromised or what specific measures it has implemented to prevent future breaches, and a spokesperson did not respond to TechCrunch’s questions.
The data breach — news of which was first shared with impacted individuals on October 30 — is already the subject of a class action lawsuit, which alleges that the cybersecurity incident was a direct result of Postmeds’ failure to implement adequate data security measures to safeguard customer information. Specifically, the complaint accuses the company of not encrypting sensitive healthcare information stored on its servers.
Last week, Truepill settled with the U.S. Drug Enforcement Administration over allegations the pharmacy illegally dispensed thousands of prescriptions for controlled substances.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“With this settlement, Truepill has accepted responsibility for operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances in excess of the 90-day limit and filling prescriptions written by medical providers who did not have the required licenses, all in violation of federal law,” the DEA wrote in a press release on November 6.
Truepill, a digital health unicorn, conducts fourth round of layoffs in 2022
