Cybersecurity and Pharmacies

Pharmacies as a target-Who’d of thought?

Charles Parker, II

Data…data…data. It’s everywhere, everyday growing at an astonishing rate. There are massive data warehouses throughout the world, holding our digital lives piece by piece. One may not think of a pharmacy as a high value target, even though they hold valuable data. This has however proven to hold interest. Rite Aid has found out what can happen when security has not been addressed. This isn’t a small- or medium-sized target. Rite Aid had over 1,700 stores across 16 states. The corporate revenue was $5.7B last quarter.

Clean-Up in Aisle 6

They were able to get the systems back online. In mid-July they were finishing their forensic work and sending the notices to their impacted customers. They chose not to publish if this was ransomware or if a ransom/fee was paid to the adversary. Believe it or not this was not Rite Aid’s first rodeo with this type of incident. The corporation also is in line for lawsuits from their 2023 compromise. Rite Aid also filed a breach notification with the state of California in 2015, 2017, and another year. This one however was worse. This case had the patient’s name, date of birth, addresses, prescription data, prescriber information, and limited insurance information. This is enough data to keep the adversaries busy for a long time and make the affected people’s lives “interesting”.

Affected Data

Allegedly approximately 10GB of data was exfiltrated. Fortunately, no SSNs, financial information, or patient information was involved. In addition, the adversaries were able to access ID numbers, Rite Aid reward numbers, names, addresses, driver’s license numbers, and date of birth.

Adversary

The attacks have been operationalized and are run much like a business. With so much money being paid if the victim decides to with ransomware, many different groups have elected to be a part of the global phenomenon. They are formulating and implementing attacks against various sized companies in hope o a payday. The lure of the large payday has drawn them to this industry.

With this attack, the RansomHub operation was responsible. This is not a new group. They have also been involved with the United Health Group, UK based NRS Healthcare, Christie’s Auction House, and others. Curiously they work as a RaaS (ransomware as a service) business model. They have also been linked to the defunct ransomware operation Knight.

How it Went

They began to investigate the issue. Once they found the extent of the issue and received the notification, they started the negotiation with RansomHub. They continued this process. At a point, Rite Aid stopped communicating with them. RansomHub added Rite Aid to their dark web site after the communication ceased. After the publication Rite Aid has acknowledge they are attacked in June. Officially the corporation called this a limited cybersecurity incident.

Looking forward

This is not going to stop or slow down. If the adversary happens to get lucky and successfully compromise a network, there is just too much money involved. The potential pay down is substantial. There’s always the legal aspect, however the money is a clear and present draw for everyone.

About the Author-

Charles Parker II has been working in the info sec field for over a decade, in the banking, medical, automotive, and staffing industries. Charles has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.