Rite Aid, the third-largest drugstore chain in the United States, says that 2.2 million customers’ personal information was stolen last month in what it described as a “data security incident.”

The pharmacy giant employs over 6,000 pharmacists (out of a total workforce of more than 45,000) in 1,700 retail stores across 16 states.

In data breach notification letters filed with the Office of Maine’s Attorney General, Rite Aid said it detected the incident on June 6, 12 hours after the attackers breached its network using an employee’s credentials.

“We determined by June 17, 2024, that certain data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party,” the company said.

“This data included purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018.”

Just as it told BleepingComputer when it first confirmed the data breach on Friday, Rote Aid added that the customers’ Social Security numbers, financial information, or health information were not exposed in the incident.

Attack claimed by ransomware gang

Although Rite Aid has yet to reveal who was behind the June attack, the RansomHub ransomware gang claimed the breach, saying they also stole customer data from the company’s systems.

​”While having access to the Riteaid network we obtained over 10 GB of customer information equating to around 45 million lines of people’s personal information. This information includes name, address, dl_id number, dob, riteaid rewards number,” RansomHub said on their dark web leak site.

The drugstore chain was added to RansomHub’s leak site after it allegedly halted ransom negotiations, which prompted the ransomware gang to share a screenshot of claimed stolen data as proof, stating that everything would be leaked in two weeks.

Rite Aid has yet to reply to a request for more details regarding the June incident after BleepingComputer reached out again on Friday.

RansomHub is a relatively new operation that extorts victims in exchange for not leaking stolen files. If negotiations fail, the files are often auctioned to the highest bidder.

The gang focuses on data-theft-based extortion rather than encrypting victims’ files, although they were identified as a potential buyer of Knight ransomware source code.

Since the start of the year, RansomHub has also claimed responsibility for breaching U.S. telecom provider Frontier Communications, stealing the information of 750,000 customers and forcing them to shut down systems to contain the breach.