Rite Aid Sale of Customer Health Data Looms as Security Concern

The pending sale of millions of customer health records as part of Rite Aid Corp.‘s bankruptcy proceedings is putting a spotlight on data security protections as the health-care industry battles increasing cyber incidents.

The pharmacy chain filed May 5 for Chapter 11 protection, less than a year since it exited its first bankruptcy in August 2024. A rival pharmacy is expected to acquire its most valuable assets: customers’ prescription information. A federal judge green-lit an expedited sale of Rite Aid’s patient records to avoid disrupting supplies of the 100 million prescriptions it delivers to customers each year.

Rite Aid has received bids from Walgreens Boots Alliance Inc., Albertsons Cos., and CVS Health Corp., among others. They’ll be presented to the bankruptcy court on May 21.

The data sale comes on the heels of the 23andMe Holding Co.'s bankruptcy filing which put the genetic data of more than 15 million customers for sale in a “Wild West” regulatory environment largely outside the scope of federal health privacy laws.

Unlike 23andMe, Rite Aid’s prescriptions data transfer falls firmly under the Health Insurance Portability and Accountability Act of 1996—known as HIPAA. But it comes with other risks.

The bankruptcy proceedings are unfolding amid a steady rise in data breaches and cyber attacks against hospitals, health insurers, pharmacies—and even Rite Aid itself, which failed to protect the personal information of more than two million customers during a 2024 breach.

The unusual bulk of health data about to exchange hands will put the onus on both Rite Aid and its future buyer to comply with a patchwork of applicable laws and to prepare for inevitable security risks.

Rite Aid didn’t immediately respond to a request for comment.

“I’d want the most technologically-savvy person from the debtor to speak to the most technologically-savvy person receiving the data,” said Elizabeth G. Litten, partner, chief privacy and HIPAA compliance officer at Fox Rothschild.

A Regulated Transfer

HIPAA addresses the use and disclosure—including during bankruptcy—of individuals’ personal health information, and spells out both privacy and security requirements for the organizations like Rite Aid that are subject to the rule, known as covered entities. The data in scope here includes details about customers’ mental and physical health conditions, prescribed treatments, and payments used for health-care services.

Compliance risks for Rite Aid won’t stop with the bankruptcy filing—especially when it comes to HIPAA requirements. HHS has warned that HIPAA applies regardless of whether a health-care entity is opening or closing its doors.

In 2018, the regulator hit medical records storage and management company Filefax Inc. with a $100,000 fine for HIPAA violations two years after it filed for bankruptcy, finding that it failed to protect protected health records.

Rite Aid won’t be able to just “drop off a bunch of unencrypted servers on the doorstep of the acquiring entity,” said Adam H. Greene, partner at Davis Wright Tremaine LLP and former counsel at HHS’ Civil Rights Office.

The buyer of Rite Aid’s prescription records will most likely be another covered entity already familiar with HIPAA compliance. But taking on the vast trove of prescription data will bring additional scrutiny.

The Federal Trade Commission has regularly reminded companies that consumer data must be protected even during bankruptcy proceedings. In March, FTC Chairman Andrew Ferguson addressed 23andMe’s sale of sensitive data and warned that privacy promises made by the genetic testing company must be kept by any purchaser.

The same requirements will apply to Rite Aid’s buyer.

Rite Aid is still subject to a 2023 FTC consent order banning it from using facial recognition technology for surveillance purposes and requiring it to implement a robust information security program. An FTC spokeperson told Bloomberg Law on Thursday that the agency is “taking steps to make sure it complies with that order.”

The proceedings will also be governed by state privacy laws—especially when it comes to non-health related consumer information that is subject to privacy protections.

“There will be eyes on how the data is transferred, and how it’s actually handed over,” said Laura Coordes, a law professor at Arizona State University who researches bankruptcy and financial distress.

Multitude of Cyber Risks

In addition to compliance, both parties should brace for security risks to emerge as soon as they prepare to exchange customer data.

The buyer could have excellent information security with respect to its own systems, for example, but may have limited visibility into the level of security protecting Rite Aid’s systems.

Even if both companies have strong security in place, their systems might not be fully compatible. The buying pharmacy will have to determine how well those systems talk to each other, and whether the data can be safely transferred while ensuring it stays confidential and accessible, Greene said.

“Anytime you just combine two different information system structures, it introduces a bunch of variables that could impact security,” he added.

Depending on the timing of the bankruptcy proceedings, the parties may want to consider entering into a custodial agreement with another entity to hold and protect the data, Litten said. That third-party would need to be either a business associate or covered entity subject to HIPAA requirements.

Either way, “you need to do some vetting,” including examining their security risk assessments, she said.

Following best security practices won’t be a silver bullet against the increasingly sophisticated and frequent cyber attacks riddling health-care supply chains.

The Biden administration proposed filling some of the industry’s cyber gaps with updates to HIPAA’s security rules during its final weeks in office; those proposals are still pending and face an uncertain future under the Trump administration.

“In reality, it’s really challenging for HIPAA-covered entities to protect the data properly,” said Sara Gerke, a law professor at University of Illinois Urbana-Champaign. The frequency of cyber incidents shows “there is a need to protect the data better.”