Truepill Pays $7.5 Million To Settle Data Breach Lawsuit

Postmeds Inc., dba Truepill, an online pharmacy, has agreed to negotiate a class action lawsuit it faced due to a 2023 data breach that impacted 2,364,359 people. U.S. District Court Judge Haywood S. Gilliam gave preliminary approval of the plaintiffs’ offer to settle the lawsuit for $7.5 million on November 26, 2024.

Truepill faced several class action lawsuits filed because of a data breach. The lawsuits were combined into one lawsuit, In Re: Post Meds, Inc. Data Breach Litigation, since they had similar facts and the same claims. The combined lawsuit claimed that Postmeds did not apply reasonable and proper security procedures to safeguard the sensitive data it kept, which enabled a bad actor to access its system and files employed for pharmacy services.

The combined lawsuit claimed negligence, unjust enrichment/quasi-contract, breach of implied contract, invasion of privacy – intrusion upon seclusion, and breach of the California Unfair Competition Law, California Customer Records Act, California Confidentiality of Medical Information Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the California Constitution Article § 1.

Through a few months of negotiations, all parties consented to a settlement to end the litigation, though Postmeds did not admit any wrongdoing. Based on the settlement conditions, all people who got a notification letter regarding the data breach are included in one nationwide class and could file claims for out-of-pocket expenditures sustained because of the data breach.

Claims could be filed for out-of-pocket expenditures and monetary losses with documentation, as much as $4,000. A claim could also be for payment in cash. Instead of the cash payment, class members could claim 12 months of Privacy Shield credit monitoring services and data protection. The amount for claims will be reduced by the amount paid for service awards, legal fees and expenses, and attorneys’ fees. After paying the claims, the leftover settlement funds will be given pro rata to the class members.

Class counsel was assured that Postmeds had upgraded its business procedures concerning data security, which may have included HIPAA training, to avoid the same data breaches down the road. Class members can object to or exclude themselves from the settlement deal within 60 days. Filing of claims should be done in 90 days. The schedule of the court’s final approval hearing is 120 days from the date of notice. The legal representatives of the plaintiffs and class members were Hausfeld LLP’s James J. Pizzirusso, Milberg Coleman Bryson Phillips Grossman PLLC’s Gary M. Klinger, and Pearson Warshaw, LLP’s Jill M. Manning.

Image credits: ©NetSec / StratfordProductions, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.
Twitter
LinkedIn