Rite Aid Pays $6.8 Million to Resolve Data Breach Lawsuit

by

Rite Aid has decided to resolve a class action lawsuit associated with a data breach in June 2024 that affected the personal data including PHI of around 2.2 million individuals. Class members are entitled to claim about $10,000 as a refund for documented expenditures sustained because of the data breach.

On June 6, 2024, the RansomHub ransomware group accessed part of its computer systems, extracted sensitive information, and encrypted files. As per Rite Aid, the breach was discovered in 12 hours, however, not soon enough to stop the theft of customer information. The stolen information involved clients who bought anything from June 6, 2017 to July 30, 2017, and contained names, birth dates, addresses,
driver’s license numbers, and other IDs. The impacted persons were provided free credit monitoring and identity theft protection services for one year.

Rite Aid faced multiple lawsuits because of the data breach that stated identical claims. Hence, the lawsuits were combined into one class action. The plaintiffs filed the Margaret Bianucci v. Rite Aid Corporation lawsuit in the U.S. District Court for the Eastern District of Pennsylvania. The legal action claimed Rite Aid was negligent for not implementing proper cybersecurity procedures, then slowed down sending breach notification letters for over one month. The plaintiffs contended that the notification letters were missing critical data, for example, whether the incident was a ransomware attack and whether the stolen information was published on the dark web. The plaintiffs said they had more recorded messages and spam after the data breach and mentioned the one-year credit monitoring services were not enough.

The plaintiffs contended that Rite Aid is aware of cyberattacks as well as data security breaches. Prior incidents must have made it apparent that Rite Aid was likely to be attacked once more. Besides negligence, the lawsuit alleged a breach of fiduciary duty and unjust enrichment. Although Rite Aid struggled against the lawsuit, after mediation, it agreed in principle to a likely settlement in January 2024. The settlement offers tangible and quick compensation to the victims and requires Rite Aid to improve its cybersecurity procedures to avoid the same security breaches later on.

The terms of the settlement require Rite Aid to set up a $6.8 million fund to pay for claims, class representative awards, attorneys’ fees, and legal fees and expenditures until the settlement fund is exhausted. Class members are eligible to file claims for approximately $10,000 for unreimbursed, recorded expenses sustained more likely because of the data breach. Otherwise, class members could opt to get a cash payment, which will be given after deducting costs and expenditures, attorneys’ fees, and claims. The sum of the cash payment a claimant will receive will depend on how many claims are submitted. The court has given its preliminary approval of the settlement on March 4, 2025. The schedule of the final approval hearing is July 17, 2025.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone