Cyber Incident Victim: Rite Aid
Date:
May 2023
Location:
United States of America
Summary
A data security incident at Rite Aid occurred following a vendor's software vulnerability exploited by an unauthorized third party, leading to access of company files containing protected health information. Exposed data included patient names, birth dates, addresses, prescription details, prescriber information, and limited insurance data, though no Social Security or financial information was compromised. The company addressed the vulnerability with a vendor-provided update, notified law enforcement and regulators, and offered affected individuals complimentary identity monitoring services—including credit monitoring, fraud consultation, and theft restoration—for one year through Kroll.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, Rite Aid discovered a data security incident stemming from a vulnerability in a vendor partner’s software, which an unknown third party exploited. The vendor notified Rite Aid of the defect and provided a software update, which Rite Aid promptly installed. A subsequent review of Rite Aid’s systems and the vendor’s software revealed unauthorized access to certain company files on May 27, 2023. The compromised files contained protected health information, including patient first and last names, dates of birth, addresses, prescription details such as medication names and fill dates, prescriber information, and limited insurance data comprising plan names and cardholder IDs. No Social Security numbers, credit card information, or other financial data were exposed in the breach. Rite Aid reported the incident to law enforcement and federal and state regulators, though the specific agencies were not disclosed in the notification. The breach stemmed from external exploitation of a third-party system, with no indication of direct compromise of Rite Aid’s internal infrastructure.
In response, Rite Aid offered affected individuals one year of complimentary identity monitoring services through Kroll, including credit monitoring, fraud consultation, and identity theft restoration. Activation required enrollment via a dedicated website by a specified deadline, though the letter redacted the exact URL and enrollment cutoff date. Rite Aid’s notification letter, dated generically as "Month Day, Year," included resources for obtaining free credit reports, placing fraud alerts or security freezes, and contacting credit bureaus and regulatory agencies like the Federal Trade Commission. The company established a dedicated call center for inquiries but did not disclose whether internal security enhancements or vendor audits were conducted beyond the initial software patch. The incident’s impact was confined to data stored within the affected vendor systems, with no evidence of broader network infiltration or data exfiltration beyond the specified files. Rite Aid emphasized its commitment to safeguarding personal information but did not provide specifics on preventative measures implemented post-breach.