A major cybersecurity incident at one of the nation's largest pharmacy chains has exposed the personal and prescription data of approximately 25 million customers. The breach, discovered on April 8, is being investigated by the FBI and state attorneys general.
Compromised data includes names, addresses, dates of birth, Social Security numbers, insurance information, and detailed prescription histories. The sensitivity of prescription data is particularly concerning, as it reveals medical conditions that patients may wish to keep private.
The attack vector was a compromised third-party vendor that provided inventory management services. Attackers gained access to the vendor's systems and used the trusted connection to move laterally into the pharmacy's customer database.
The breach highlights the growing vulnerability of supply chain attacks, where organizations' security is only as strong as their weakest vendor. The pharmacy chain had passed its most recent SOC 2 audit, demonstrating that compliance alone is insufficient for security.
Affected customers are being offered three years of identity monitoring and medical identity theft protection. Several class action lawsuits have already been filed, and the company's stock has dropped 12% since the breach was disclosed.
