Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking the US Prescription System

Posted by timothy on from the quite-a-dose-you're-taking dept.

An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.

78 comments

  1. Sharing Is Caring! by darkain · · Score: 0

    Sharing Is Caring!

  2. Not exactly a hack by michelcolman · · Score: 1

    So you enter someone's name and date of birth on this website, and it gives you all the details? How exactly is this a hack? If I asked the president of the US for the nuclear launch codes, just for laughs, and to my great surprise he would simply give them to me, would I have "hacked" the US nuclear missile system? Would I be thrown in jail for hacking?

    This is just plain irresponsible behaviour by PillPack, nothing to do with hacking.

    1. Re:Not exactly a hack by arth1 · · Score: 5, Informative

      This is just plain irresponsible behaviour by PillPack, nothing to do with hacking.

      No, this is just plain irresponsible behavior by those who share infomation to PillPack and others.

      Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

      It's clear that the US prescription system leaks like a sieve, and that even spammers have access to people's prescription history.
      Can we go back to paper prescriptions that don't enter a database, please?

    2. Re:Not exactly a hack by Anonymous Coward · · Score: 3, Funny

      Dude, I get spam for Viagra every day.

    3. Re: Not exactly a hack by Anonymous Coward · · Score: 0

      Yes when I think about it I see ads for things ive been or was just prescribed as well but never anything else. The implications are quite frankly shocking and frightening

    4. Re:Not exactly a hack by CrimsonAvenger · · Score: 2

      Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

      I've been taking moderately special purpose meds off and on for years (the sorts of things you take when you have a bone marrow transplant).

      I have NEVER gotten any spam emails as a result (unless you count that "you really need to refill your prescription since you're about to run out of pills, you dolt!" sort that I get as a reminder from the drugstore)....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    5. Re:Not exactly a hack by zAPPzAPP · · Score: 1

      They know about your medication (see above).
      What they may lack is the matching email address to your name?

    6. Re:Not exactly a hack by CrimsonAvenger · · Score: 4, Interesting

      They know about your medication (see above).
      What they may lack is the matching email address to your name?

      They know about my meds because I pretty much have to tell someone to get the prescription filled.

      They know my email address since the same people I go to to get the prescription filled have my email address so they can send me reminders that my refills are due.

      So, the pharmacy has my prescription history going way back (what, you think I change pharmacies every time I get a new prescription) and my email address. And I still have never gotten any spam advertising drugs.

      Note that drug advertising to me wouldn't actually do any good, since I'm not an MD, and am incapable of prescribing drugs to myself (or anyone else). That sort of thing is best aimed at doctors and hypochondriacs (the kind who will nag their doctors about the new drugs they see on TV that sound like they'd be PERFECT for their problems)....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    7. Re:Not exactly a hack by zAPPzAPP · · Score: 1

      The 'they' in my post referred to the spammers, not your pharmacy.
      I doubt those are the same people.

      As mentioned in other comments already, do not assume that the spammers get their information directly from that database, or that the email you entered is even saved together with you medical information (why would it?).

      Most likely the pharmacy saves your contact info in their own customer database, which they hopefuly dont share.

    8. Re:Not exactly a hack by SuseLover · · Score: 3

      For that matter can we please go back to paper medical records too? How long will it be before all our medical histories become public knowledge?

      While in theory, EMR's can do a lot of good by providing any doctor instant critical info but in the current big-data low security environment, no.

    9. Re:Not exactly a hack by tomhath · · Score: 1

      While in theory, EMR's can do a lot of good by providing any doctor instant critical info

      That's not just a theory, it's a fact. EMRs aren't perfect but they're getting better, and the security issue will be addressed.

      That said, my wife and I both have gotten prescriptions for things that would be obvious if that information was leaked to a spammer, but it hasn't happened.

    10. Re:Not exactly a hack by ColdWetDog · · Score: 3, Interesting

      Your pharmacist has sold your prescription data to some shady third party for advertising purposes. Somehow they managed to loophole that out of HIPAA - it's a 'service' for your own good - or something along those hallucinatory lines.

      Supposedly you can opt out but you first have to know if you got opted in.

      I'm actually surprised that this hasn't generated much flack, but there are so many things to get angsted at I think that most people are just overwhelmed. Personally, I ran out of extra angst a long time ago.

      --
      Faster! Faster! Faster would be better!
    11. Re:Not exactly a hack by monkeyzoo · · Score: 1

      I just went to check it out, and actually the site also requires the last 4 digits of your social security number as well as name and date of birth.

    12. Re:Not exactly a hack by mysidia · · Score: 1

      Most likely the pharmacy saves your contact info in their own customer database, which they hopefuly dont share.

      Until a partner pays them enough for it, or a rogue employee finds a buyer....

    13. Re:Not exactly a hack by Anonymous Coward · · Score: 0

      That sort of thing is best aimed at doctors and hypochondriacs (the kind who will nag their doctors about the new drugs they see on TV that sound like they'd be PERFECT for their problems)....

      If you think tv pharma advertising is particularly directed at hypochondriacs, then you really don't understand people. For one thing, hypochondria is an irrational belief that the person is suffering from a disease contrary to diagnostic evidence and expert examination. And when they do have hypochondria, it is primarily fear of the worst conditions - brain tumors, not asthma and insomnia.

    14. Re:Not exactly a hack by Anonymous Coward · · Score: 1, Informative

      Can we go back to paper prescriptions that don't enter a database, please?

      Convince your rep, senators, and Obama to get rid of the ACA (Obamacare) because the ACA mandates all electronic records.

    15. Re:Not exactly a hack by Jane+Q.+Public · · Score: 1

      How long will it be before all our medical histories become public knowledge?

      Well, I think there are two important things to note here: first, IANAL but sharing this data between pharmacies without any patient input would appear to be a blatant violation of HIPAA regulations. Second, my state's prescription database is very definitely NOT supposed to be connected to any Federal database. That would be a violation of State law.

    16. Re:Not exactly a hack by samkass · · Score: 1

      Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

      I've been taking moderately special purpose meds off and on for years (the sorts of things you take when you have a bone marrow transplant).

      I have NEVER gotten any spam emails as a result (unless you count that "you really need to refill your prescription since you're about to run out of pills, you dolt!" sort that I get as a reminder from the drugstore)....

      I don't know if it's the cause here, but if you Google for something, obviously Google's entire value model is to sell that info to advertisers. Likewise if you send or receive gmail about something. Then there's also looking it up on WebMD or another site to find the side effects. I would be a lot more suspicious of online activity "leaking" to spammers than a pharmacy selling it.

      --
      E pluribus unum
    17. Re:Not exactly a hack by emmjayell · · Score: 1

      According to your prescription history, you haven't filled your proangst-xl in over a year. No wonder your are feeling low on angst.

    18. Re:Not exactly a hack by ciscoguy01 · · Score: 1

      I heard where pharmacies are sharing prescription data with each other and with doctors to stop people from going from doctor to doctor to get more meds. More prescriptions than any one doctor would let one patient have. It might be required by law in my state.

      It's all pretty ridiculous, anyway. Doctors ask like they give you 30 pills instead of 100 (which might cost the same under a particular pharmacy generic program) they are protecting you, like they don't trust you, the patient. But they do trust you, not to take the whole bottle at once.

      So what's the point?

      --
      .
    19. Re:Not exactly a hack by arth1 · · Score: 1

      EMRs aren't perfect but they're getting better, and the security issue will be addressed.

      And the check is in the mail.

    20. Re:Not exactly a hack by Jane+Q.+Public · · Score: 1

      I heard where pharmacies are sharing prescription data with each other and with doctors to stop people from going from doctor to doctor to get more meds. More prescriptions than any one doctor would let one patient have. It might be required by law in my state.

      We have a state pharmacy database which does that. However, the data is not supposed to be commercially available, AND it most definitely is not supposed to be hooked up to any kind of Federal system.

  3. Assumptions by dcollins117 · · Score: 4, Informative

    From TFA, regarding a persons prescription history, it says

    It is assumed that this information comes from the various backend systems that interlink the pharmacies as described above.

    I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

    That being said, it is unconscionable how lax PillPack.com security procedures were.

    1. Re:Assumptions by OverlordQ · · Score: 4, Interesting

      > I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies.

      This. Pretty much every prescription the doctor writes effectively goes straight to the drug reps. If you stop prescribing, they'll know, and come in and bribe^H^H^H^Hinquire as to why you stopped prescribing their drug.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Assumptions by raburton · · Score: 4, Informative

      Very pleased we have a different system in the UK. Drug reps aren't even supposed to give us pens anymore. That said I've had plenty of free lunches from drug reps along with a presentation about their latest drug, but I'm not talking about fancy dinners just a light picnic type spread from the nearest supermarket. There isn't much point them doing it anyway, as a general rule we are only supposed to prescribe things that are approved by NICE (after proper cost/benefit analysis) and/or in our local formulary. If you are prescribing outside that they'll be coming to you for an explanation, not the drug companies. Drug companies are also not allowed to advertise prescription only drugs direct to the public, which I think is probably the most important difference.

    3. Re:Assumptions by Anonymous Coward · · Score: 1, Insightful

      So HIPAA is basically bullshit then.

    4. Re:Assumptions by Anonymous Coward · · Score: 0

      Laws are for little people. Don't you get it yet?

    5. Re:Assumptions by mrbester · · Score: 2

      That, plus we have data protection laws that prevent patients from being identified by the companies that make the prescription drugs. For sure there are reports that state how many use drug X, but that's aggregated data.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    6. Re:Assumptions by Cornwallis · · Score: 0

      Bullshit. I'm the IT guy for a chain of independent pharmacies and know this is a categorically false statement. Like many others it is part of the mythology surrounding the healthcare "crisis".

    7. Re:Assumptions by Anonymous Coward · · Score: 2, Informative

      They don't sell this information. Instead, the states have set up prescription monitoring programs (PMP) to prevent drug abuse through doctor shopping. Pharmacies are required submit information about the filled prescription for Schedule II, III, or IV drugs. Some states also allow the pharmacist to consult the PMP for recent prescription history to prevent filling duplicate orders. Hospitals and doctors that directly administer these controlled drugs are normally exempt from reporting to the PMP. The data in PMP registries is used by licensing boards and law enforcement to detect suspicious activity.

    8. Re:Assumptions by CrimsonAvenger · · Score: 2

      I think it is far more likely that the pharmacy sells this information to insurance

      So, the pharmacies are selling information on your prescription drugs to...your insurance company?

      You remember your insurance company - they're the ones who are paying for your prescription drugs. If the pharmacies are selling your drug information to your insurance companies, the pharmacies have one of the greatest rackets in history - they're managing to sell information that is REQUIRED FOR BILLING to the people paying the bills.

      Now that's audacity!

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    9. Re:Assumptions by Anonymous Coward · · Score: 1

      I work in the pharmacy industry. It isn't the pharmacy selling the data it is the PBM and insurance companies selling the data. Your personal health information is ALWAYS for sale by insurance companies. The PBM (Pharmacy Benefit Manager) is supposedly a neutral 3rd party link between the pharmacy and the insurance company but they have enormous power and profits (from selling your data, among other things).

      It sucks and it will only get worse.

    10. Re:Assumptions by CaptainDork · · Score: 1

      When they get it fixed, they will be Ex-Lax®.

      --
      It little behooves the best of us to comment on the rest of us.
    11. Re:Assumptions by DingerX · · Score: 2

      What do they have to sell here? All you need is a legitimate business case to be on the network, and you have access. That's the point here: PillPack immediately changed their procedures, but if they were able to call up a full prescrption record using only name and DOB, any number of other businesses with a medical component can too. All you need is to associate names and DOBs (Facebook anyone?), call up the prescription records, look for something chronic, desperate and lucrative, and fire off an automated, personalized email. Profit!

    12. Re:Assumptions by Alan+Shutko · · Score: 2

      I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

      Definitely not. Pharmacies and PBMs are prohibited from selling patient health information. PBMs sell aggregated information to pharma companies, so they can understand the drug trends in an area. They sell doctor-identified data as well. This is a pretty good summary of the data that PBMs and pharmacies can and cannot sell

      I suspect that this was information retrieved by the ePrescribe network. The NCPDP SCRIPT standard defines a transaction to retrieve a prescription history. The standard is not publicly available so we can't see what data elements are required to request a medication history, but I'm guessing that this is how PillPack retrieved the info.

    13. Re:Assumptions by Alan+Shutko · · Score: 3, Informative

      The US has protection that prevents patients from being identified by the companies that make the drugs. There is no federal law preventing DOCTORS from being identified as prescribing a drug. Maine, New Hampshire, and Vermont have laws to further limit this practice.

    14. Re:Assumptions by Registered+Coward+v2 · · Score: 1

      Bullshit. I'm the IT guy for a chain of independent pharmacies and know this is a categorically false statement. Like many others it is part of the mythology surrounding the healthcare "crisis".

      You. I have friends who are drug reps and the days of "spend whatever it take stop keep the docs happy" and getting called on the carpet for "not spending enough" are long gone. The reps are probably healthier though, because it means no more late nights at strip clubs or eating lavish meals every night.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    15. Re:Assumptions by dcollins117 · · Score: 3, Interesting

      I'll allow that I may be wrong. I don't know; it's never happened before so I don't know what it feels like :P

      I note in the excellent link you provided under the section of data mining it says

      Data miners buy prescription information from pharmacies and PBMs.

      Apparently, data identifying a specific person is removed "sufficient to remove the data from the protection of the CMIA and HIPAA", and the records are assigned a number.

      Further,

      Prescription data miners have the ability to re-identify individual data based on the number assigned to it, and they operate separately from the entities - health care providers, health plans, health care clearinghouses, and their contractors or business associates - that do have legal obligations.

      I don't think it too far-fetched to think this happening, particularly since I started seeing a lot of targeted ads for asthma medications not long after coming down with respiratory difficulties last year. Somebody's doing something shady, I'll bet.

    16. Re:Assumptions by Applehu+Akbar · · Score: 1

      Meanwhile, our own data protection laws protect pharma companies from the threat of competition, even by individual patients shopping around for better prices.

      My insurance company requires buying meds through their contracted online pharmacy. So while any hacker might be able to access my prescription history with just a birthdate, I have to go on vacation with half my prescribed supply of pills because the system makes me wait "until it's time" before I can order a refill.

    17. Re:Assumptions by tomhath · · Score: 1

      Pay close attention to the "Privacy Statement" you are required to sign when you fill the prescription. There's a chance it could contain something about sharing your data; if I ever saw that I would let the pharmacy know that they lost a customer. I haven't had that problem with the neighbor hood pharmacy I use though.

    18. Re:Assumptions by Wovel · · Score: 1

      I have never signed anything when filling a prescription.

    19. Re:Assumptions by Anonymous Coward · · Score: 0

      > Bullshit. I'm the IT guy for a chain of independent pharmacies and know this is a categorically false statement.

      Someone with your job should be better informed.
      Here is a start: A Huge Company That Tracks And Sells Your Prescription History Now Wants To Go Public

    20. Re:Assumptions by Fnord666 · · Score: 1

      This. Pretty much every prescription the doctor writes effectively goes straight to the drug reps. If you stop prescribing, they'll know, and come in and bribe^H^H^H^Hinquire as to why you stopped prescribing their drug.

      Exactly this. I've been present while a drug rep was discussing with the pharmacist how much of each of his company's drugs local doctors have been prescribing.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    21. Re:Assumptions by adolf · · Score: 1

      That being said, it is unconscionable how lax PillPack.com security procedures were.

      Is it?

      I just signed up. Did the full name, current address, DoB, and (missing from TFS) last four of my SSN.

      It found no prescriptions for me at all.

      --
      Kid-proof tablet..
    22. Re:Assumptions by Anonymous Coward · · Score: 0

      How many death panels have you sat on this week? I bet in a good week you beat Harold Shipman.
      --
      roman_mir

    23. Re:Assumptions by Anonymous Coward · · Score: 0

      They don't sell your PII, that is stripped. They either sell anonymous records or the aggregate for analytical purposes. Hospitals share files with state health agencies, as permitted by HIPAA, and the states turn around and sell the information to private data-mining companies. Insurers both sell and buy this type of data.

      The problem is the records often contain patients’ ages, zip codes, and treatment dates, and this is enough metadata to match names to files if other records are being cross referenced. Basically, nothing is private anymore when companies query multiple sources and build a health profile. As an example, if you have been in an accident, and the injuries and where you were treated have been reported in the news, that can be used to match your identity to an anonymous medical record.

    24. Re:Assumptions by Anonymous Coward · · Score: 0

      HIPAA is about the P, not the A. Fines have been issued for failing to release data when required, but never for releasing data when they shouldn't. That should sum it up well. It was more about the Optometrists that refused to release your prescription so you couldn't go to a discount store for your corrections. They thrived off the lock-in. Doctors do that as well. They are required to release me knee scan so I can go to another doctor for a second opinion. They can't hold my medical information hostage to demand more payment from me. Before HIPAA, that was common.

    25. Re:Assumptions by Anonymous Coward · · Score: 0

      Not true in law, but true in practice. They aren't allowed to link a person with a treatment. Period. If they can from news reports, dates of injuries, and all that, then the medical release was illegal.

    26. Re:Assumptions by ciscoguy01 · · Score: 1

      I found out that my prescription records were stored in Milliman Intelliscript
      milliman.com
      I was entitled to a report of their data.
      I got it, with a FCRA Summary.pdf document, since this falls under the fair credit reporting act.

      They got it from my previous health insurance company. You know, they have that 17 page fine print clickthrough agreement that no one can read.

      I applied for health insurance, and a nurse from the company I applied to called me and discussed everything ad nauseum, until I finally hung up and refused to buy the insurance.
      It was like they were afraid if they signed me up they might have to pay for a prescription or something. That should be just illegal.

      --
      .
    27. Re:Assumptions by tlhIngan · · Score: 1

      I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

      That being said, it is unconscionable how lax PillPack.com security procedures were.

      Exactly.

      First off - is a full name and DOB a unique enough identifier? For something as vital as a prescription, it doesn't seem like it. I would presume for patients, there's a real unique identifier involved for electronic prescriptions or using a real scrip.

      The fact that there's no other identifier involved seems to imply sold records that only have your name, DOB and prescription. Not good enough to actually uniquely identify people, but good enough to pre-fill information about you, and if there's a collision, just merge the records and hopefully it'll never come up, or the user will pick the right meds (not that it matters since they still need a real prescription to get the meds).

      I think what PillPack.com revealed is the extent to which your drug purchases are sold around. Though aren't such things covered by medical privacy laws?

    28. Re:Assumptions by Anonymous Coward · · Score: 0

      So they have finally changed their security since the story broke. Did you miss the "how lax PillPack.com security procedures were." from the post?

      .

    29. Re:Assumptions by Anonymous Coward · · Score: 0

      I have friends who are drug reps and the days of "spend whatever it take stop keep the docs happy" and getting called on the carpet for "not spending enough" are long gone. The reps are probably healthier though, because it means no more late nights at strip clubs or eating lavish meals every night.

      Strip clubs? Almost every drug rep I've seen (while sitting in waiting rooms) has been an attractive young woman.

  4. secrets by Mirar · · Score: 1

    Jolly good.. Now the name + the birthday is the secret needed to unlock any identity fraud? Not even including social security (which wasn't secret either)?

  5. Big honey-pots and cries of wolf by Anonymous Coward · · Score: 0

    It's like the whole damn, dumb U.S and its networks are just configured as one big honey-pot, to make it easier to point and cry wolf.

  6. not sure- *fixedÉ* by Anonymous Coward · · Score: 0

    just tried signing up, can`t even see my own info let alone someone else`s.

  7. Drug Interaction by Anonymous Coward · · Score: 0

    Pharmacies need to know what scripts you have open so they don't kill you. When you pick up a new prescription they will check with your insurance company what other prescriptions you may already have to ensure there are no adverse interactions between the new drug and what you're already taking. This doesn't excuse what was clearly poor design to have allowed this information to be so easily available, but this may not have been due to some conspiracy of greed.

  8. What about hacking the system for drugs? by swb · · Score: 1

    I always thought we'd hear about the prescription system hacked for drugs, not for personal information.

    There's a ton of pharmacies out there, how do "they" know where to send shipments? How do "they" verify that a shipment is going to an actual pharmacy and not a shell entity, especially if its CVS store #1887?

    What about actual prescriptions? Many are electronically transmitted to the pharmacy. The schedule II ones (at least when I've been given oxycodone) are printed on paper, but how is that data correlated with the prescribing doctor as legitimate?

    Is every order printed out on paper and cross checked by somebody?

    1. Re: What about hacking the system for drugs? by Anonymous Coward · · Score: 0

      Generally from what ive seen just reading a Rx anytime a controlled substance is prescribed they put their unique dea code on the Rx slip then the Rx slip has those security features. So you would have to steal their pads and duplicate all their writing perfectly because all of those scripts are scanned and if the computer notices a sudden change in Rx counts it alerts someone and I'm sure there are many other triggers that cause a human to look into it. If you write a fake script chances are you will get caught eventually.

  9. Easy defence against the hack by Anonymous Coward · · Score: 0

    Just keep your name and birthday secret.

    1. Re:Easy defence against the hack by Anonymous Coward · · Score: 0

      Yeah, right. "I'd like to pick up a prescription for Jane Doe, born 1/1/1901". Let me know if they give you your prescription or not.

      .

  10. HIPPA by Registered+Coward+v2 · · Score: 5, Informative

    would seem that this would be a violation of HIPPA security rules, assume pharmacies are covered entities, which I think they are. Specifically, covered entities must maintain adequate:

    Administrative Safeguards

    Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

    Technical Safeguards

    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

    It would seem simply allowing access via a name and birthdate is a violation of the above requirements.

    Source: http://www.hhs.gov/ocr/privacy...

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:HIPPA by djtim21 · · Score: 1
      I just checked out the Pill Pack website. You agree to their terms of service:
      • Check this button to agree to the PillPack Terms of Use, Child Safety Waiver, Billing Disclosure, HIPAA privacy policy, PillPack Privacy Policy.

      They aren't violating HiPPA - their HiPPA form explains in detail who they can release your information to, and why. They also list in their privacy policy that they can and will use your information to make their product better and can release your information to third parties. So just from reviewing their website when you sign up, the are following HiPPA to the letter. They are posting correct privacy policies. It's up to you to if you want to allow PillPack to disclose all of your information by signing up. I actually think this is a very cool service - for people who take a large amount of pills and need to take it on a tight schedule or some type of daily regimen. I don't think this would be a good service for me personally, I'm diabetic, and I only take 2 pills a day at the same time, along with insulin for my pump.

    2. Re:HIPPA by Registered+Coward+v2 · · Score: 2

      To me the issue is not that they have such a policy but they fail to properly protect the data; which may be a HIPPA violation.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    3. Re:HIPPA by BlackSupra · · Score: 1

      HIPAA: Health Insurance Portability and Accountability Act

      Whose mascot was the purple 'HIPAA Hippo'.

    4. Re:HIPPA by BlackSupra · · Score: 1

      > They aren't violating HiPPA

      HIPAA: Health Insurance Portability and Accountability Act

  11. Copays? How about cash price? by thogard · · Score: 2

    When you try to get a prescription filled in a pharmacy they take your ID and insurance card and send that off to your insurance company. If you have a prescription for something simple and cheap like penicillin that cost say $3 the conversation looks something like this:
    Pharmacy (to insurance co): Joe Sucker gave me a $25 co pay card for penicillin.
    InsCo: Tell him that it is $30 and you now owe us $22.
    Pharmacy to Joe: You owe us $25.

    If Joe had asked cash price, the conversation would have been:
    Pharmacy (to Joe): That will be $3.
    Joe: But I have a $25 co pay
    Pharmacy: Do you want to pay $3 or $25?

    1. Re:Copays? How about cash price? by Bite+The+Pillow · · Score: 1

      What in the actual fuck are you doing on the internet?

      You have the worst pharmacy, worst insurance, or worst information. And not changing at least one of those suggests inferior decision making skills. So since you can't determine this yourself, go fix things and then have a probationary try at being online again.

      I could paste my prescription history, available for tax reasons, but you would claim I made it up. So just stop.

    2. Re:Copays? How about cash price? by Anonymous Coward · · Score: 0

      > Copays? How about cash price?

      Try this website: Don’t go to the pharmacy without checking drug prices at GoodRx first.

  12. Re:Capitalst prescription system defective by desi by Applehu+Akbar · · Score: 1

    If the US healthcare system were to embrace capitalism, it would be a big improvement over the fourteenth-century guild feudalism we have now.

  13. Re:Capitalst prescription system defective by desi by Anonymous Coward · · Score: 0

    Sorry. All the momentum is in the opposite direction.

    But you're definitely right.

  14. Walgreens is worse by Anonymous Coward · · Score: 0

    They don't even require the last four of the SSN.

    See e.g.
    http://rights.com/2015/04/16/p...

  15. rocess schmocess by Anonymous Coward · · Score: 0

    Dear /. editors, I think you mean "process" instead of "rocess" ... thanks for your attention!

  16. Chain pharmacies don't do this. by Anonymous Coward · · Score: 0

    You should report your local podunk scammer pharmacy to your state attorney general's office.

  17. Needs more information by Anonymous Coward · · Score: 0

    Maybe they changed the website after this breach was reported. But now it requires a lot more information than just name and birthdate. Without the last four of the SSN, it will not advance.