In a dramatic legal turn, Rite Aid has consented to a $6.8 million settlement to resolve class action allegations that it failed to prevent a cyberattack compromising the sensitive information of over 2 million customers. The settlement, preliminarily approved by U.S. District Judge Harvey Bartle III on Tuesday, allows claimants to receive up to $10,000 for documented losses stemming from the breach, according to a court filing in Pennsylvania.
Delayed Response Sparks Outrage
The lawsuit, which consolidated multiple class actions, accused Rite Aid of negligence in handling customer data and delaying notification of the breach for over a month after it occurred in June 2024. Victims of the breach argued that Rite Aid’s notice lacked critical details, including whether the hackers had been identified or if the stolen data was held for ransom.
The pharmacy chain only offered credit monitoring and identity restoration services—an effort plaintiffs slammed as “woefully inadequate” given the scope of the breach. Critics contended that Rite Aid failed to disclose whether compromised data surfaced on the dark web, fueling further mistrust among affected consumers.
A Cyberattack with Alarming Consequences
The breach, which resulted from an unknown third party impersonating a Rite Aid employee, granted the attackers access to certain business systems. According to the company’s security incident notice, Rite Aid detected the breach within 12 hours and swiftly launched an internal probe. However, the stolen data included deeply personal details—names, addresses, birth dates, and even government-issued identification documents—linked to purchases made between June 6, 2017, and July 30, 2018.
