Cyber Incident Victim: Walgreens
Date:
May 2023
Location:
United States of America
Summary
A Rite Aid vendor partner experienced a software vulnerability that was exploited by an unknown third party, leading to unauthorized access to certain company files. The compromised information included a limited amount of protected health information such as patient names, dates of birth, addresses, prescription details, and some insurance information. No Social Security numbers or financial data were involved in this incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, Rite Aid was informed by a vendor partner of a vulnerability within the vendor's software that had been exploited by an unknown third party. The vendor provided a software update to address the defect, which Rite Aid immediately installed. Following the installation of the update, Rite Aid conducted a thorough review of its own systems and the provider’s software. This investigation revealed that on May 27, 2023, an unknown party had accessed certain company files. The discovery of the access was a direct result of the post-patch review initiated after the vendor's notification. The incident did not involve a direct breach of Rite Aid's internal systems but was a consequence of a security weakness in a third-party vendor's software that was exploited externally.
The information involved in the incident was contained within the accessed files and included a limited amount of protected health information. This comprised patient first and last names, dates of birth, and addresses. The compromised data also included prescription information, specifically medication names and the dates those prescriptions were filled. Prescriber information was involved, and in some instances, limited insurance information such as plan names and cardholder identification numbers were exposed. The company explicitly stated that no Social Security numbers or financial information, including credit card numbers, were involved in this incident. The scope of the impact was limited to the data contained within the specific files accessed via the vendor's exploited software vulnerability.
In response to the discovery, Rite Aid immediately reported the incident to law enforcement authorities. The company also reported the event to the appropriate federal and state regulators in accordance with legal obligations. Recognizing the potential concern for affected individuals, Rite Aid decided to provide notification to those whose information may have been exposed. The company secured the services of Kroll, a firm specializing in risk mitigation and response, to provide identity monitoring services at no cost to the affected individuals for a period of one year. These services were offered to help relieve concerns and restore confidence following the incident.
The identity monitoring services provided through Kroll included several components designed to assist individuals. Credit Monitoring was offered to provide alerts when changes occurred to an individual's credit data, such as when a new line of credit was applied for in their name. Fraud Consultation provided unlimited access to consultation with a Kroll fraud specialist for advice on protecting one's identity, understanding legal rights, and assistance with placing fraud alerts. Identity Theft Restoration service provided access to a licensed investigator who would work on behalf of an individual to resolve issues if they became a victim of identity theft. Activation instructions and a membership number were provided in the notification letter sent to affected individuals, with a specified deadline to activate the services.
The notification letter also included an extensive "Additional Resources" section to inform individuals of steps they could take independently. This included information on how to obtain a free annual credit report from each of the three nationwide consumer reporting agencies: Equifax, Experian, and TransUnion. The resources detailed the process for placing two types of fraud alerts on a credit report: an initial alert for suspected identity theft, which remains for at least one year, and an extended alert for confirmed victims of identity theft, which remains for seven years. Instructions were also provided for placing a security freeze, also known as a credit freeze, on a credit report free of charge, which is intended to prevent credit, loans, and services from being approved without consent.
Contact information for the Federal Trade Commission was provided for individuals who believed they were a victim of identity theft or had reason to believe their personal information was misused. Specific contact details for the Attorney General's offices in several states, including Maryland, North Carolina, New York, Connecticut, and Massachusetts, were also listed. The notification included state-specific advisories, such as informing Massachusetts residents of their right to obtain a police report if they are a victim of identity theft and advising Iowa and Oregon residents to report suspected identity theft to law enforcement and other authorities. The letter concluded with a dedicated phone number for affected individuals to call with questions, available on weekdays during Central Time business hours, and reiterated the company's commitment to protecting personal information.