Canadian pharmacy and retail chain London Drugs has closed all its stores temporarily as it responds to a cybersecurity incident that occurred over the weekend.
London Drugs first announced it was experiencing “an operational issue” on Sunday afternoon causing its stores across Western Canada to close “until further notice.”
The company confirmed Monday that the issue was due to a “cybersecurity incident” and initially said it had no reason to believe the data of customers or employees was impacted.
However, London Drugs released a statement Tuesday saying it is investigating the extent to which data may have been compromised, and will notify individuals if their personal information was impacted in accordance with privacy laws.
The pharmacy chain is working with “leading third-party cybersecurity experts” to safely restore operations; meanwhile, more than 80 stores remain closed indefinitely.
The company also said Monday that it temporarily shut down its phone lines as part of its investigation, but that pharmacy staff would still be on-site to address customers with urgent pharmacy needs.
“Recognizing the impact these closures have had on our customers and employees across Western Canada, it remains our priority to continue working around the clock to have all stores fully operational,” Clint Mahlman, chief operating officer and president of London Drugs, said in a statement provided to SC Media.
London Drugs did not confirm or deny whether the incident was a ransomware attack and did not provide further details about the nature of the attack when inquired.
London Drugs has more than 80 stores across Alberta, Saskatchewan, Manitoba and British Coumbia, and more than 8,000 employees, according to its website. In addition to its pharmacy services, the chain also sells various retail goods such as groceries, electronics and other household supplies.
Cyberattacks on the healthcare sector pose unique risks compared with attacks on other sectors, both financially and in regard to patient care and privacy.
In North America, healthcare was the third-most targeted sector for cyberattacks in 2023, according the IBM X-Force Threat Intelligence Index 2024 report, making up 15% of attacks. Healthcare ranked sixth in the share of attacks globally in 2023, making up 6.3% of targets, up from a 5.8% share in 2022.
Additionally, the average cost of a healthcare data breach in 2023 was $10.93 million USD, a 53.3% increase from 2020, and healthcare breaches were the most expensive compared with breaches in other industries, according to IBM’s Cost of a Data Breach Report 2023. Breaches in the pharmaceutical sector were the third-most expensive, costing an average of $4.82 million in 2023, a decrease from $5.01 million in 2022.
As seen with the Change Healthcare breach in the United States, attacks impacting healthcare pharmaceutical services can disrupt patients’ access to care and put sensitive personal health information (PHI) at risk.
Retail companies are also a common target for cybercriminals, emerging as the third-most attacked industry in Canada in 2022, making up 10% of all cyberattacks in the country and 8.7% globally that year, according to IBM. The average cost of a retail data breach in 2023 was $2.96 million USD, according to the Cost of a Data Breach Report.
