The retail pharmacy chain issued an alert to its customers that purchasing data from 2017 to 2018 may have been breached by a third party.
On July 16, 2024, Rite Aid reported a cybersecurity breach that occurred last month on June 6. Although the company maintains that Social Security and financial information were not breached—just data from the purchase or attempted purchase products—up to 2.2 million customers’ data may have been affected.
“On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems. We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems, and ascertain if any customer data was impacted,” wrote Andrew Palmer, RPh, CIPP-US, CCEP, Rite Aid’s Chief Privacy Officer, in a notice of data breach sent to Rite Aid customers.1
A third-party hacker stole the customer data of people who purchased or attempted to purchase Rite Aid products from June 6, 2017, to July 30, 2018. No financial data were breached; however, names, birth dates, addresses, and driver’s license numbers and/or government IDs were potentially obtained as a result of the event. Rite Aid maintains that no medical information was breached during the hack.
At press time, several questions remain about the cyberattack and the full extent of how much data was breached. However, several reports are pointing at a specific hacking group that may be responsible, while reports of how many customers affected have been rumored but not solidified.
Rite Aid location in Buffalo, New York | image credit: JHVEPhoto / stock.adobe.com
“RansomHub, the ransomware gang claiming responsibility for the hack, estimated that 45 million customers were affected, but Rite Aid told PC Mag that the actual number was far lower,” wrote Suzanne Blake for Newsweek.2
Attempting to establish who exactly was responsible for impersonating a Rite Aid employee and how many individuals were affected by the breach, the investigation associated with Tuesday’s announcement is ongoing. However, according to a report made to the Office of the Maine Attorney General, the company stated that exactly 2.2 million people were affected; 30,137 of those being Maine residents.3
According to the SC Media staff, the RansomHub hacking group has since taken responsibility for the cyberattack. Although not confirmed by Rite Aid, the group claims that 10 gigabytes of customer data were extracted, and it plans to release it if Rite Aid does not comply with the group’s demands. With sensitive information either being released to the general public or to dark web actors and programs, ransomware attacks like this have been a commonplace within sensitive data systems like Rite Aid’s.4
Ransomware technology was used in the February 21 cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group, earlier this year. Affecting approximately one-third of all Americans, the ransomware used in the Change Healthcare event required UnitedHealth Group to pay a $22 million ransom to the perpetrators.5
“Ransomware attacks on hospitals involve hackers encrypting computer networks and demanding payment for their restoration, potentially disrupting the delivery of health care services. These incidents have been increasing in the US, especially since the COVID-19 pandemic. Between 2016 and 2021, more than 370 attacks occurred on US clinics, hospitals, and other health care organizations; the number of attacks doubled over this time,” wrote authors of a study published in JAMA.6
Despite the Rite Aid data breach occurring at a much smaller scale than that of Change Healthcare, the event is concerning for a company that provides pharmacy services for millions of Americans. And while Rite Aid is working to alleviate the incident and implement further security measures to ensure minimal occurrences of cyberattacks in the future, customers and patients alike should stay vigilant as the company attempts to recover from the event.
“Any company that becomes involved in a data breach, ransomware attack, or other breach is often in for a long fight of trying to recoup lost IP, money, consumer trust, and other valuables,” Andrew Newman, founder of cybersecurity firm ReasonLabs, told Newsweek.2
READ MORE: The Effect of Ransomware Attacks on US Hospitals and Adjacent Health Systems
For more on cybersecurity, check out the latest reporting from Drug Topics’ sister site, Chief Healthcare Executive.
Pharmacy practice is always changing. Stay ahead of the curve: Sign up for our free Drug Topics newsletter and get the latest drug information, industry trends, and patient care tips, straight to your inbox.
Q&A: Turning Old Technology into Something New for Pharmaceutical Storage
September 4th 2024Dana Krug, Senior Vice President of Cold Chain Fulfillment at Phononic, explained the current state of his company’s cooling technology and the common trends of temperature control throughout the industry.
