Rite Aid’s ecommerce platform breached, personal info stolen
Rite Aid pharmacy chain discovered a breach to its ecommerce platform and an unauthorized individual stole sensitive customer information for a period of 10 weeks, according to HIPAA Journal.
Calls to Rite Aid were not immediately returned.
The hackers were able to access personal data and credit card details from Jan. 30 until April 11, when the breach was detected and access was blocked, the report found. The stolen data included names, addresses and all payment information -- including CVV numbers.
All customers who used the site during this timeframe and manually entered payment details on the site were part of the breach. At the moment, the Department of Health and Human Services’ Office of Civil Rights breach portal has not been updated with the breach details, including how many patients were affected.
Rite Aid worked with investigators to determine the cause of the breach and to prevent future incidents. The pharmacy is also working with credit card companies and assisting with those investigations. Affected individuals will be offered a full year of free credit monitoring.
This is not the first breach of Rite Aid. The company was slammed with a $1 million OCR fine in 2015 for failing to implement adequate policies to safeguard patient information and train employees on the best practices for data disposal.
In 2014, Rite Aid’s third-party service provider PNI Digital Media -- which managed and hosted Rite Aid’s photo site -- was improperly secured for nearly a year. Personal and credit card data of Rite Aid customers were left exposed during this time.