Dive Brief:
- PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers.
- The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren't involved. PillPack said more than 3,600 affected accounts included prescription data.
- The online pharmacy said it discovered the breach on April 3, and it determined an unauthorized person used users’ email addresses and passwords to sign into their accounts between April 2 and April 6.
Dive Insight:
PillPack said an internal investigation found email addresses and passwords weren’t taken, and it’s likely the unauthorized user was able to access accounts because customers used the same log-in information for another website.
“There is no evidence that the information viewed has been used in any way, and there has been no unusual activity on the impacted accounts. The limited information that was revealed is not enough to steal someone’s identity,” a PillPack spokesperson wrote in a statement to Healthcare Dive. “This event was limited to PillPack, and we both notified the impacted customers directly and posted the notification to our website.”
Amazon acquired PillPack in 2018 in one of the retail and technology giant’s first moves into healthcare. The ecommerce giant launched its Amazon Pharmacy offering two years later, and recently added a generic drug subscription service and a feature that automatically applies manufacturer-sponsored coupons to eligible orders.
Another deal that cemented Amazon’s ambitions in healthcare — its $3.9 billion acquisition of primary care provider One Medical — closed earlier this year. Though some consumer protection groups raised concerns about the purchase, including questions about data privacy, the Federal Trade Commission missed a deadline to sue and block the acquisition.
Healthcare data breaches have become increasingly common over the past decade. According to a Healthcare Dive analysis, the number of breaches reported reached more than 700 in 2022, more than triple the 200 reported in 2010.
One recent data breach at CommonSpirit affected nearly 624,000 people late last year, delaying patient care and dragging down the Chicago-based health system’s financial results.
With the growth of digital health apps and wearable devices, more nontraditional entities have access to consumers’ health data in a way that is unprotected by existing HIPAA health privacy rules. Regulators have been increasingly aggressive in cracking down on sensitive health data sharing as a result.
Recently, the FTC took steps to strengthen the Health Breach Notification Rule, which requires companies to notify users and the government when that data is breached. The agency recently took enforcement action against drug cost transparency company GoodRx and fertility app Premom using the HBNR, as it aims to shore up data privacy on digital health apps.