PillPack, a full-service pharmacy company owned by Amazon, has released a security notice of unauthorized access.
What happened
In a statement released by PillPack, the company disclosed that an unauthorized user or users gained access to PillPack.com accounts. The hacker was able to log in via the account holders’ email address and password.
PillPack’s security team noticed suspicious activity beginning April 3rd, 2023, and immediately launched an investigation. Ultimately, they found that between April 2nd, 2023, and April 6th, 2023, personal data, including customer email addresses, information related to PillPack prescriptions, and contact information for prescribing providers, was accessed.
PillPack found that 19,032 accounts were accessed, with 3,614 of those accounts containing prescription information.
Why it matters
It’s unclear how the emails and passwords were accessed, and the notice from PillPack suggested that it was due to account holders using the same email-password combo for other sites. If this is the case, the incident could be part of a chain breach–where a user experiences a data breach on multiple accounts.
PillPack maintains their systems were secure, which could suggest that other systems, unrelated to PillPack but with overlapping account holders, may have faced a data breach.
What was said
In PillPack’s statement, the company said that once they discovered suspicious activity, they immediately launched an investigation that “confirmed that no email addresses or passwords were taken from PillPack.”
In the same statement, PillPack said that no social security numbers or payment card information were involved.
In response to the breach, PillPack “quickly reset all account passwords to prevent unauthorized access” and “enabled multi-factor authentication on all accounts.”
Going deeper
For Amazon, this isn’t the first hiccup with data-sharing in recent times. Amazon Clinic, a popular operation rolled out in 2022, has faced pushback for its vague privacy agreement, which states that users must agree to the “use and disclosure of protected health information.”
Read more: Amazon’s new clinic may create privacy loopholes.
This incident is also part of another trend where the root of data compromises isn’t disclosed. In this instance, Amazon seemed unable to fully trace how the breach occurred. In many cases, determining how data became compromised can be extremely difficult, showcasing the evolving complexity of data breach situations. Despite this, when companies are unable to determine the exact reason a breach occurred, it can lead to more vulnerabilities in the future.
Read more: New report shows data breach trends from 2023’s First Quarter
The bottom line
During routine monitoring, the PillPack found a data breach and was able to quickly act in response. Despite being able to secure their data, the uncertainty of how the breach initially occurred is concerning.
Companies should encourage users to not use similar passwords across their sites and should also frequently monitor activity, as Amazon did, to prevent more data from being compromised.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
