Rite Aid is the latest company to suffer a massive data breach and is notifying some 2.2 million customers that their sensitive information was stolen.

In a letter to customers that was filed with the Massachusetts attorney general, Rite Aid says bad actors gained access to the company’s systems by impersonating an employee and “compromise their business credentials.” The company says it detected the issue within 12 hours and immediately investigated to understand the scope of the breach.

According to the company, data that includes “purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018,” was stolen by the hackers. Rite Aid said no Social Security numbers, financial information, or patient information was compromised.

Rite Aid is working with federal and state regulators, as well as as law enforcement in the wake of the breach. The company has also secured the services of Kroll to provide customers with identity monitoring services at no cost.

Interestingly, Ars Technica reports that RansomHub—the group responsible—claimed to be in advanced negotiations with Rite Aid officials over the stolen data when the company suddenly broke off communications and went radio silent.

It’s unclear if Rite Aid stopped communicating with the ransomware group over the price being demanded, or in response to law enforcement involvement, since law enforcement usually advocates against paying the ransom.