The drugstore chain based in Philadelphia, Pa., was notified by a vendor partner of a vulnerability in Rite Aid's software that had been exploited by an unknown third party on May 31.
Letters were mailed to customers on July 20 from Rite Aid, stating that it regrets the incident and that the breach was immediately reported to law enforcement along with federal and state regulators.
The vendor provided a software update to correct the vulnerability during a review of Rite Aid's systems and the software, and it was discovered that on May 27 certain company files had been accessed by the unknown third party.
The drug store chain said the data exposed included names, birth dates, addresses, and prescription information. In some cases, insurance information — like plan names and cardholder IDs — was accessed, but social security numbers and credit card information were not compromised, according to local news outlet, WGAL.
Rite Aid recently hired a new chief legal officer in June, but it is unclear if the move was related to the security breach. Thomas Sabatino was brought on to “oversee the organization’s legal affairs, including enterprise risk management, compliance, regulatory affairs, and privacy,” according to the release.