FOLLOW US

In a dramatic legal turn, Rite Aid has consented to a $6.8 million settlement to resolve class action allegations that it failed to prevent a cyberattack compromising the sensitive information of over 2 million customers. The settlement, preliminarily approved by U.S. District Judge Harvey Bartle III on Tuesday, allows claimants to receive up to $10,000 for documented losses stemming from the breach, according to a court filing in Pennsylvania.

Delayed Response Sparks Outrage

The lawsuit, which consolidated multiple class actions, accused Rite Aid of negligence in handling customer data and delaying notification of the breach for over a month after it occurred in June 2024. Victims of the breach argued that Rite Aid’s notice lacked critical details, including whether the hackers had been identified or if the stolen data was held for ransom.

The pharmacy chain only offered credit monitoring and identity restoration services—an effort plaintiffs slammed as “woefully inadequate” given the scope of the breach. Critics contended that Rite Aid failed to disclose whether compromised data surfaced on the dark web, fueling further mistrust among affected consumers.

A Cyberattack with Alarming Consequences

The breach, which resulted from an unknown third party impersonating a Rite Aid employee, granted the attackers access to certain business systems. According to the company’s security incident notice, Rite Aid detected the breach within 12 hours and swiftly launched an internal probe. However, the stolen data included deeply personal details—names, addresses, birth dates, and even government-issued identification documents—linked to purchases made between June 6, 2017, and July 30, 2018.

Victims reported real-world consequences, including an uptick in spam and robocalls. One Pennsylvania plaintiff noted that her sensitive information remained within Rite Aid’s systems, making her vulnerable to future attacks unless the company took stronger security measures.

A Pattern of Security Failures?

This isn’t the first time Rite Aid has come under fire for cybersecurity lapses. The lawsuit highlighted a similar breach in May 2023, affecting 24,000 customers. Given this history, plaintiffs argued that Rite Aid should have anticipated being targeted again and implemented robust defenses to prevent another attack.

The June 2024 breach, they contended, was a direct result of Rite Aid’s failure to enact reasonable cybersecurity protocols. The lawsuit accused the company of negligence, breach of fiduciary duty, and unjust enrichment, among other claims, and sought injunctive relief to prevent future lapses.

A Deal Struck in Mediation

A breakthrough came in late January, when both sides engaged in mediation and reached an agreement in principle. According to a memorandum supporting preliminary approval, the settlement offers “tangible and immediate benefits” to victims while mandating significant improvements to Rite Aid’s cybersecurity framework. The company must now implement enhanced data security measures to prevent similar incidents.