Rite Aid Settles Data Breach Lawsuit for $6.8 Million
Rite Aid has agreed to settle a class action lawsuit over a June 2024 data breach that involved the personal information of approximately 2.2 million customers. Class members can claim up to $10,000 as reimbursement for documented expenses incurred as a result of the data breach.
On June 6, 2024, the RansomHub ransomware group gained access to some of its computer systems, exfiltrated sensitive data, and encrypted files. According to Rite Aid, the breach was identified within 12 hours, but not in time to prevent the theft of customer data. The stolen data related to customers who made purchases between June 6, 2017, and July 30, 2017, and included names, addresses, dates of birth, driver’s license numbers, and other ID documents. The affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.
Several lawsuits were filed in response to the data breach that asserted similar claims. The lawsuits were consolidated into a single action – Margaret Bianucci v. Rite Aid Corporation – in the U.S. District Court for the Eastern District of Pennsylvania. The lawsuit alleged Rite Aid was negligent for failing to implement appropriate cybersecurity measures, then delayed issuing breach notification letters for more than a month. The plaintiffs argued that the notification letters lacked important information, such as whether it was a ransomware attack and if the stolen data had been uploaded to the dark web. The plaintiffs claimed to have experienced an uptick in robocalls and spam following the data breach and said the 12 months of credit monitoring services were woefully insufficient.
The plaintiffs argued that Rite Aid is no stranger to cyberattacks and data breaches, and that previous incidents should have made it clear that Rite Aid was likely to be targeted again. In addition to negligence, the lawsuit claimed unjust enrichment and breach of fiduciary duty. While Rite Aid fought the lawsuit, following mediation, an agreement was reached in principle on a potential settlement in January 2024, with the settlement providing tangible and immediate benefits to the victims and requiring Rite Aid to make improvements to its cybersecurity program to prevent similar security breaches in the future.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, Rite Aid will establish a $6.8 million fund to cover claims, attorneys’ fees, class representative awards, and legal costs and expenses, with the settlement due to exhaust the settlement fund. Class members are entitled to submit claims for up to $10,000 for unreimbursed, documented expenses incurred more likely than not as a result of the data breach. Alternatively, class members may choose to receive a cash payment, which will be paid pro rata after costs and expenses, attorneys’ fees, and claims have been paid. The amount of the cash award will depend on the number of claims received. The settlement received preliminary approval from the court on March 4, 2025, and the final approval hearing has been scheduled for July 17, 2025.
