American Associated Pharmacies (AAP), a cooperative supporting over 2,000 independent U.S. pharmacies, suffered a **data breach** in October 2024. Hackers infiltrated AAP’s network on **October 13, 2024**, exfiltrating sensitive personal and financial data before encrypting files. The compromised information includes **names, addresses, dates of birth, Social Security numbers, passport/driver’s license details, bank/routing numbers, medical records (treatment data, prescriptions, insurance info), and credentials (usernames/passwords)**. The breach poses severe risks of **identity theft, financial fraud, and medical data exploitation**, affecting customers, employees, and affiliated pharmacies. AAP secured its systems upon detection (October 23, 2024) and launched an investigation, while law firm **Edelson Lechtzin LLP** is pursuing a **class-action lawsuit** for victims. The incident underscores critical vulnerabilities in handling **highly regulated health and financial data**, with potential long-term reputational and operational damage to AAP and its pharmacy network.
American Associated Pharmacies (AAP) cybersecurity rating report: https://www.rankiteo.com/company/rxaap
"id": "RXA0802508111925",
"linkid": "rxaap",
"type": "Breach",
"date": "10/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare (Pharmacy Services)',
'location': 'United States',
'name': 'American Associated Pharmacies (AAP)',
'size': 'Supports over 2,000 independent pharmacies',
'type': 'Member-owned cooperative'}],
'customer_advisories': ['Review account statements',
'Monitor credit reports',
'Contact Edelson Lechtzin LLP for legal remedies if '
'affected'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, medical records, '
'financial data, and credentials)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Information',
'Authentication Credentials']},
'date_detected': '2024-10-23',
'date_publicly_disclosed': '2025-11-18',
'description': 'American Associated Pharmacies (AAP), a member-owned '
'cooperative supporting over 2,000 independent U.S. '
'pharmacies, detected a data breach on October 23, 2024. '
"Hackers gained unauthorized access to AAP's network on "
'October 13, 2024, exfiltrating sensitive personal and medical '
'data before encrypting files. The compromised data includes '
'names, addresses, Social Security numbers, medical records, '
'health insurance details, prescription data, and financial '
'information (e.g., bank account numbers, usernames, '
'passwords). AAP secured its systems upon detection and '
'initiated an investigation. A class action lawsuit is being '
'investigated by Edelson Lechtzin LLP on behalf of affected '
'individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of highly sensitive personal '
'and medical data; class action lawsuit '
'initiated.',
'data_compromised': ['Names',
'Addresses',
'Dates of birth',
'Social Security numbers',
'Passport numbers',
'Driver’s license/ID numbers',
'Bank account and routing numbers',
'Medical/clinical treatment details',
'Provider names',
'Medical record numbers',
'Health insurance information',
'Prescription data',
'Usernames and passwords'],
'identity_theft_risk': 'High (due to exposure of SSNs, financial '
'data, and medical records)',
'legal_liabilities': 'Class action lawsuit investigation by '
'Edelson Lechtzin LLP for data privacy '
'violations.',
'payment_information_risk': 'High (bank account/routing numbers, '
'usernames/passwords exposed)',
'systems_affected': ['Computer network', 'File storage systems']},
'initial_access_broker': {'high_value_targets': ['Sensitive personal data',
'Medical records',
'Financial information'],
'reconnaissance_period': 'Approximately 10 days '
'(from October 13, 2024, '
'to October 23, 2024)'},
'investigation_status': "Ongoing (class action lawsuit investigation; AAP's "
'internal investigation completed but details not '
'disclosed)',
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': ['Monitor credit reports and account statements for '
'suspicious activity',
'Implement stronger access controls and network '
'segmentation',
'Enhance endpoint detection and response (EDR) '
'capabilities',
'Conduct regular security audits and penetration testing',
'Provide identity theft protection services to affected '
'individuals'],
'references': [{'date_accessed': '2025-11-18',
'source': 'GLOBE NEWSWIRE Press Release'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit '
'investigation by Edelson '
'Lechtzin LLP']},
'response': {'communication_strategy': ['Public disclosure via press release '
'(2025-11-18)',
'Advisory to monitor credit reports '
'and account statements'],
'containment_measures': ['Secured systems upon detection of '
'suspicious activity'],
'incident_response_plan_activated': True},
'stakeholder_advisories': ['Advisory to affected individuals to monitor for '
'identity theft/fraud'],
'title': 'American Associated Pharmacies (AAP) Data Breach and Ransomware '
'Incident',
'type': ['Data Breach', 'Ransomware']}