Rite Aid confirms a ‘limited cybersecurity incident’ after ransomware group claims attack

The American pharmacy chain Rite Aid said it experienced a “limited cybersecurity incident” in June that affected some of the company’s systems. 

In a statement, a spokesperson for Rite Aid said they are in the process of finalizing an investigation into the incident, which they called a “top priority.”

“Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational. We are sending notices to impacted consumers,” the spokesperson said.

They added that no Social Security numbers, financial information or patient information was impacted by the attack. 

The attack on Rite Aid came to light this week when the RansomHub ransomware operation claimed to have attacked the company. In a dark web post the cybercriminals said they stole 10 gigabytes of data that includes customer information like ID numbers and Rite Aid rewards numbers.

The Philadelphia-based company did not answer further questions about whether the incident involved ransomware, what data was accessed and whether a ransom was paid. 

Rite Aid is one of the largest drugstore chains in the United States, with more than 1,700 stores across 16 states. It reported $5.7 billion in revenue last quarter but filed for bankruptcy in October due to federal lawsuits surrounding the opioid crisis. 

RansomHub — which drew headlines earlier this year for hosting data stolen from a subsidiary of insurance giant UnitedHealth Group — said it was negotiating with Rite Aid before the company broke off communications. The group threatened to leak stolen data if a ransom isn’t paid by July 24 deadline. 

Rite Aid is already facing lawsuits for a data breach in May 2023 that exposed the patient names, dates of birth, addresses, prescription data, prescriber information, and limited insurance data of more than 24,000 people. 

The company also filed breach notifications with regulators in California in 2015, 2017 and 2018. 

The healthcare industry has been affected by a spree of cyber incidents this year. The attacks on UnitedHealth Group and several other industry cogs have prompted renewed calls for federal cyber regulations governing the sector. 

On Friday, Sen. Mark R. Warner (D-VA) wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger asking them to move quicker in releasing mandatory minimum cyber standards for the healthcare sector.

“More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk,” he said, adding that cybersecurity is a “patient safety issue.”

“The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding health care stakeholders that are systemically important nationally or regionally.”