Update 07/16: Overnight, RiteAid confirmed 2.2 million people have been affected by this breach. Names, addresses, dates of birth and driver’s license numbers or other forms of government-issued IDs presented at the time of a purchase between June 6, 2017, and July 30, 2018 have been affected. No Social Security numbers, financial information, or patient information were impacted.
Ransomware group RansomHub today added US drugstore chain Rite Aid to its data leak site. RansomHub claims to have stolen 10GB of data from RiteAid, which includes 45 million lines of personal data like names, addresses, driver’s license numbers, dates of birth, and Rite Aid reward numbers.
The gang also goes on to say that Rite Aid had been negotiating with the hackers but once they’d come to an agreement, Rite Aid stopped communicating with them.
Rite Aid has not confirmed RansomHub’s claim at time of posting, but did acknowledge an attack. In response to a request for comment, a Rite Aid spokesperson told Comparitech in an email:
“Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation. We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational. We are sending notices to impacted consumers. In the meantime, we can confirm that no social security numbers, financial information, or patient information were impacted by this incident. We appreciate your patience until we can provide additional information.”
In the meantime, we recommend Rite Aid customers and employees remain on high alert for any potential phishing messages and monitor accounts for any suspicious activities.
Who is RansomHub?
RansomHub employs a ransomware-as-a-service model and has recently been linked to the now-defunct ransomware group, Knight. RansomHub has grown in notoriety in recent months, being behind some of the biggest ransomware attacks this year so far. This includes its attack on UK-based NRS Healthcare, the auction house Christie’s, Florida Department of Health, and Frontier Communications Parent, Inc. It also claimed to be in possession of the data stolen in the Change Healthcare attack, despite the company having already paid a $22 million ransom to ALPHV/BlackCat.
So far this year, we have tracked 15 confirmed and 97 unconfirmed attacks via RansomHub. The latter includes the latest claim on Rite Aid.
Ransomware attacks on US healthcare organizations
So far this year, we’ve seen 37 on US healthcare companies with 3,161,313 records affected. While this looks set to be a reduction on last year’s totals of 134 attacks affecting 22,059,491 records, that’s not to say these ransomware attacks have been any less disruptive.
For example, the Mālama I Ke Ola Health Center in Hawaii recently suffered over two weeks worth of downtime due to a ransomware attack via LockBit. And Lurie’s Children’s Hospital has just started issuing data breach notifications to over 791,000 people following its January 2024 attack.
More about Rite Aid
Rite Aid is a full-service pharmacy with its headquarters in Philadelphia, PA. It has over 1,700 stores across 17 states and more than 45,000 employees.