Rite Aid is the U.S. fourth-biggest pharmacy chain. A class action lawsuit was filed against Rite Aid over a June 2024 data breach that compromised the data, including protected health information of 2.2 million clients. The breach into the company’s business systems occurred on June 6, 2024, when an unidentified third party impersonated a company staff and tricked other staff into revealing their credentials. Although Rite Aid discovered the unauthorized access in 12 hours and acted swiftly, they could not stop the third party from stealing customer information.
The stolen data during the attack contained the following customers’ data elements: names, addresses, birth dates, and government-issued IDs or driver’s license numbers, particularly for those who bought something from June 6, 2017 to July 30, 2018. Consumers were informed in the middle of July and provided with complimentary identity monitoring services.
The Erica Judka v. Rite Aid Corporation lawsuit was registered in the U.S. District Court for the Eastern District of Pennsylvania. As per the lawsuit, Rite Aid committed negligence by not using sufficient cybersecurity measures, reasoning that it was possible to prevent the breach with better defenses. Although notification letters were sent immediately, the plaintiff contends that crucial details were lacking, for instance, the identity of the attacker, if a ransom was demanded, and if the stolen information was posted on the dark web. According to the plaintiff, her data was also misused, citing an increase in spammy emails and robocalls after the breach.
Besides negligence, the lawsuit claims breach of fiduciary duty and breach of confidence and wants class action certification for a class of 2.2 million people, a jury trial, damages, legal expenses, attorneys fees, and injunctive relief, including a court order asking Rite Aid to use extra security procedures. The legal representatives of the plaintiff and class are lawyers from Sciolla Law Firm LLC and Laukaitos Law LLC.
