Class Action Filed Over February 2021 Rite Aid Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Rite Aid Corporation has been hit with a proposed class action over a February 2021 data breach during which the personal information of thousands of patients was reportedly exposed to unauthorized parties.

The lawsuit alleges Rite Aid violated state and federal laws, and fell short of its own representations regarding the security of patient information, by failing to properly safeguard the personal and health data with which it was entrusted by healthcare providers.

Moreover, the case claims Rite Aid has waited “an unreasonable amount of time under any objective standard” to warn data breach victims that their information was exposed, and done “very little” to protect them from identity theft and fraud.

According to the suit, the Rite Aid data breach has resulted in “devastating financial and personal losses” for thousands of consumers.

The lawsuit alleges Rite Aid first became aware of “unusual activity” on electronic files it maintains for healthcare providers in early February 2021. A subsequent investigation allegedly revealed that certain files containing patients’ names, dates of birth and prescription information were exposed to unauthorized parties who gained access to Rite Aid’s server on February 6.

According to the suit, because Rite Aid failed to encrypt the sensitive files, employ proper safeguards and train its employees on how to defend against threats, hackers were able to access patients’ information “using relatively unsophisticated means.”

The case contends that Rite Aid’s conduct is even more egregious considering the pharmacy chain waited three months after discovering the breach before sending out notice to those who were affected. As the suit tells it, the defendant chose to wrap up its investigation and “develop its excuses and speaking points” before providing patients with the information they needed to protect themselves from the unauthorized use of their data.

Moreover, the lawsuit claims Rite Aid has offered victims little help with defending against identity theft and fraud and instead encouraged them in a May 2021 notice to “remain vigilant” and review their accounts and explanation of benefits forms for fraudulent activity.

“In effect,” the complaint states, “[Rite Aid is] shirking its responsibility for the harm it has caused and putting it all on the Breach Victims.”

Per the case, Rite Aid has not only violated federal and state laws that aim to protect consumers’ personal and health information from unauthorized access but its own privacy policy representations that patients’ data would be kept safe. From the complaint:

The lawsuit, which was recently removed from Los Angeles County Superior Court to California’s Central District Court, looks to represent California citizens who received care at a facility, satellite or urgent care location of a healthcare provider served by the defendant on or before February 6, 2021, and was sent a notice from the defendant that their information was compromised.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.