American Associated Pharmacies (AAP) Breach Incident Score: Analysis & Impact (RXA0802508111925)

In this Rankiteo incident briefing, we review the American Associated Pharmacies (AAP) breach identified under incident ID RXA0802508111925.

The analysis begins with a detailed overview of American Associated Pharmacies (AAP)'s information like the linkedin page: https://www.linkedin.com/company/rxaap, the number of followers: 3872, the industry type: Pharmaceutical Manufacturing and the number of employees: 138 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 753 and after the incident was 687 with a difference of -66 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on American Associated Pharmacies (AAP) and their customers.

On 18 November 2025, American Associated Pharmacies (AAP) disclosed Data Breach and Ransomware issues under the banner "American Associated Pharmacies (AAP) Data Breach and Ransomware Incident".

American Associated Pharmacies (AAP), a member-owned cooperative supporting over 2,000 independent U.S.

The disruption is felt across the environment, affecting Computer network and File storage systems, and exposing Names, Addresses and Dates of birth.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Secured systems upon detection of suspicious activity, and stakeholders are being briefed through Public disclosure via press release (2025-11-18) and Advisory to monitor credit reports and account statements.

The case underscores how Ongoing (class action lawsuit investigation; AAP's internal investigation completed but details not disclosed), and recommending next steps like Monitor credit reports and account statements for suspicious activity, Implement stronger access controls and network segmentation and Enhance endpoint detection and response (EDR) capabilities, with advisories going out to stakeholders covering Advisory to affected individuals to monitor for identity theft/fraud.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating hackers gained unauthorized access to AAPs network on October 13, 2024 and External Remote Services (T1133) with moderate confidence (60%), supported by evidence indicating infiltrated AAP’s network with no specific vector; 10-day reconnaissance period suggests persistent access. Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with high confidence (90%), supported by evidence indicating usernames and passwords listed in compromised data and OS Credential Dumping (T1003) with moderate to high confidence (70%), supported by evidence indicating exfiltration of credentials implies potential dumping from system stores. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating exfiltration of PII/PHI/financial data from computer network and file storage systems and Data from Information Repositories (T1213) with high confidence (90%), supported by evidence indicating compromised medical records, health insurance info, prescription data from structured repositories. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol (T1048) with moderate to high confidence (80%), supported by evidence indicating exfiltrating sensitive personal and financial data prior to encryption and Automated Exfiltration (T1020) with moderate to high confidence (75%), supported by evidence indicating large-scale data breach (PII/PHI/financial) suggests automated collection/exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), supported by evidence indicating encrypting files after exfiltration (ransomware) and Data Destruction (T1485) with moderate confidence (60%), supported by evidence indicating ransomware encryption may render data permanently inaccessible without decryption. Under the Defense Evasion tactic, the analysis identified File Deletion: Indicator Removal (T1070.004) with moderate to high confidence (70%), supported by evidence indicating 10-day dwell time suggests efforts to evade detection before encryption and Disable or Modify Tools: Impair Defenses (T1562.001) with moderate confidence (60%), supported by evidence indicating no detection until October 23 despite initial access on October 13. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (70%), supported by evidence indicating 10-day reconnaissance period implies potential account manipulation for persistence. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.