Rite Aid Data Breach Lawsuit Says 2.2 Million People Impacted by 2024 Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

Rite Aid faces a proposed class action lawsuit over a reported 2024 data breach during which the sensitive personal information of roughly 2.2 million people was stolen.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 41-page Rite Aid data breach lawsuit says the drugstore chain detected the cybersecurity incident on June 6, reportedly 12 hours after hackers had accessed its systems using employee credentials. The case alleges the Rite Aid data breach stemmed from the company’s failure to implement reasonable and appropriate cybersecurity measures to protect against “the foreseeable threat of a cyberattack.”

The Rite Aid data breach notice filed with the Maine Attorney General specifies that data compromised in the incident included consumer names, addresses, dates of birth, driver’s license numbers and other forms of government IDs presented at the point of purchase between June 6, 2017 and July 30, 2018. No Social Security numbers or financial or patient information was impacted, the company said.

Omitted from the disclosure, the suit says, is whether the criminals responsible for the Rite Aid data breach were identified, whether the stolen data was held for ransom, how the breach was discovered, the mechanism of the attack, and what steps Rite Aid took in the wake of the incident to protect its systems, among answers to other questions.

“Rite Aid also did not disclose whether its investigation detected the compromised information on the dark web,” the data breach lawsuit reads. “Rite Aid simply offered access to credit monitoring and identity restoration services through Kroll at no charge to affected individuals but, as Plaintiff’s allegations will make clear, this offer is woefully inadequate.”

The case goes on to contend that Rite Aid’s failure to timely notify data breach victims prevented impacted consumers from being able to immediately take action to prevent or mitigate harm from the incident. Though the breach was reportedly detected in June 2024, Rite Aid did not begin to notify victims until around July 15, the case claims.

Tech publication BleepingComputer.com reports that a ransomware group called RansomHub claimed responsibility for the Rite Aid data breach, though the defendant has not confirmed them to be behind the attack.

By obtaining consumers’ sensitive information in the course of normal business, Rite Aid took on the obligation of safeguarding that data, the case stresses, noting that the stolen information was apparently unencrypted in Rite Aid’s systems.

Rite Aid has previously been hit with class action lawsuits over data breaches that occurred in 2021 and 2023.

The Rite Aid data breach class action looks to cover anyone in the United States whose personally identifiable information was compromised in the data breach disclosed by Rite Aid, including all those who received notice about the incident.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.