Rite Aid to Blame for May 2023 Data Breach, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

Rite Aid faces a proposed class action over a May 2023 data breach that reportedly compromised the personal and health information of approximately 24,000 individuals.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 87-page case says that despite its legal obligation to keep consumers’ private data confidential and secure from unauthorized access, Rite Aid “negligently” failed to safeguard the information entrusted to it.

As a result, an unknown party was able to exploit a vulnerability in the software of a third-party vendor used by the pharmacy chain on May 27 of this year and access files that contain current and former customers’ full names, dates of birth, addresses, prescription information and, in some cases, health insurance information, the lawsuit alleges.

The complaint claims the cyberattack could have been prevented had Rite Aid implemented reasonable cybersecurity measures in accordance with its own representations, federal statutes and industry standards, such as encrypting sensitive information or deleting data that is no longer needed.

Although Rite Aid says it was alerted to the breach by its vendor partner on May 31, the defendant waited until July 19 to notify victims that their information had been compromised, the suit shares.

“Omitted from the Notice Letter were the dates of [Rite Aid’s] investigation, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again,” the case reads. “To date, these critical facts have not been explained or clarified to [the plaintiff] and Class Members, who retain a vested interest in ensuring that their Private Information remains protected.”

The plaintiff, a California resident who received notice that her information was impacted in the incident, says her unencrypted data and that of other affected individuals will likely be put up for sale on the dark web and used for criminal purposes. According to the filing, Rite Aid data breach victims now face a risk of identity theft and fraud that will remain for their respective lifetimes.

“The Data Breach has caused [the plaintiff] to suffer fear, anxiety, and stress, which has been compounded by the fact that Rite Aid has still not fully informed her of key details about the Data Breach’s occurrence,” the suit says. “As a result of the Data Breach, [the plaintiff] anticipates spending considerable time and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.”

What’s more, Rite Aid’s negligence is exacerbated by “repeated warnings and alerts” urging companies in possession of consumers’ private information to prepare for potential cyberattacks, which have become a growing but preventable threat in recent years, the case contends.

The lawsuit looks to cover anyone in the United States whose private information was accessed and/or acquired by an unauthorized party as a result of the data breach reported by Rite Aid in July 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.