Drugstore chain Rite Aid says data breach impacted over 2.2 million patients

American drugstore chain Rite Aid Corporation said it experienced a significant data security incident that compromised the sensitive personal information of about 2.2 million individuals.

 

In a data breach notice filed with the office of Maine Attorney General, Rite Aid said that on June 6, an unknown third party impersonated a company employee, compromised their business credentials and gained access to certain company systems.

 

Immediately after identifying the security breach, the company launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident.

 

“We determined by June 17, 2024, that certain data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party,” the drug retailer said.

 

The compromised data included customers’ names, addresses, dates of birth and driver’s license numbers and other forms of government-issued IDs presented at the time of a purchase between June 6, 2017, and July 30, 2018. 

 

Rite Aid’s filing with the Maine state regulator revealed that at least 2.2 million individuals were impacted by the incident. It said the breach did not compromise patients’ Social Security numbers, financial information or medical information.

 

“We regret that this incident occurred and reported it to law enforcement, as well as federal and state regulators. We are also implementing additional security measures to prevent potentially similar attacks in the future,” Rite Aid added.

 

Rite Aid has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through Kroll to all affected individuals.

 

The RansomHub group has claimed responsibility for the cyber attack on Rite Aid and listed it as a victim on its data leak site. The group claimed to be in possession of 10GB of data stolen from the company and has threatened to leak the same if its ransom demands aren’t met.