Victims reported real-world consequences, including an uptick in spam and robocalls. One Pennsylvania plaintiff noted that her sensitive information remained within Rite Aid’s systems, making her vulnerable to future attacks unless the company took stronger security measures.
A Pattern of Security Failures?
This isn’t the first time Rite Aid has come under fire for cybersecurity lapses. The lawsuit highlighted a similar breach in May 2023, affecting 24,000 customers. Given this history, plaintiffs argued that Rite Aid should have anticipated being targeted again and implemented robust defenses to prevent another attack.
The June 2024 breach, they contended, was a direct result of Rite Aid’s failure to enact reasonable cybersecurity protocols. The lawsuit accused the company of negligence, breach of fiduciary duty, and unjust enrichment, among other claims, and sought injunctive relief to prevent future lapses.
A Deal Struck in Mediation
A breakthrough came in late January, when both sides engaged in mediation and reached an agreement in principle. According to a memorandum supporting preliminary approval, the settlement offers “tangible and immediate benefits” to victims while mandating significant improvements to Rite Aid’s cybersecurity framework. The company must now implement enhanced data security measures to prevent similar incidents.
