fbpx

Rite Aid Data Breach Exposes Unencrypted Patient Information California Class Action

Companies have a responsibility to protect the private information that customers entrust to them. But Rite Aid Corporation also has the additional responsibility to keep private customers’ private medical information, says the complaint for this class action. The complaint brings suit under California’s Confidentiality of Medical Information Act (CMIA), alleging Rite Aid failed to take adequate measures to protect the customers’ private information and prevent a data breach.

The class for this action is all citizens of California who received care at a facility, satellite, or urgent care location of providers that were served by Rite Aid on or before February 6, 2021 and who received a Notice from Rite Aid saying that their information was compromised in the data breach.

The complaint alleges, “Due to [Rite Aid’s] mishandling of personal medical information recorded onto [Rite Aid’s] computer network, there was an unauthorized release of … confidential medical information that occurred on or about February 6, 2021…”

According to the complaint, the data breach was due to Rite Aid’s inadequate protection of the information: Rite Aid “negligently created, maintained, preserved, and stored … confidential medical information in a non-encrypted format onto a data server which became accessible to an unauthorized person, without Plaintiff[’] and the Class members’ prior written authorization.”

The plaintiff in this case, Esther Burch, lives in California. She was a patient of Rite Aid, because Rite Aid serves her medical provider, Fairchild Medical Center (FMC). According to the complaint, Burch’s “individual identifiable medical information derived by [Rite Aid] in electronic form was in possession of [Rite Aid], including but not limited to [Burch’s] medical history, mental or physical condition, or treatment, including diagnosis and treatment dates.” It also included personal information such as her name, date of birth, address, medical record number, insurance provider, and possibly other information such as her Social Security number.

The complaint claims, “Since receiving treatment at [Rite Aid’s] facilities, [Burch] has received numerous solicitations by mail from third parties at an address she only provided to [Rite Aid].”

She also received a notice from Rite Aid that her personal medical and identifying information were disclosed in a data breach. This came in a Notice sent on or around May 18, 2021 that spoke of “an unusual activity involving certain of its electronic files” that Rite Aid kept for some healthcare providers, including FMC.

The Notice claimed that Rite Aid immediately undertook an investigation, which “determined that certain files were accessed and acquired on February 6, 2021 without authorization”—that is, in a data breach that took place more than three months before Rite Aid notified her. “During this time,” the complaint claims, “cyber criminals had free reign to surveil and defraud their unsuspecting victims.” It claims that Rite Aid “chose to complete its internal investigation and develop its excuses and speaking points” before giving the victims the information necessary to begin to protect themselves.”

The complaint adds the accusation, “It is apparent from [Rite Aid’s] Notice that the Personal and Medical information contained within the server was not encrypted.” It further claims that Rite Aid “has done very little to protect Breach Victims.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Rite Aid Data Breach Exposes Unencrypted Patient Information California Complaint

November 1, 2021

Companies have a responsibility to protect the private information that customers entrust to them. But Rite Aid Corporation also has the additional responsibility to keep private customers’ private medical information, says the complaint for this class action. The complaint brings suit under California’s Confidentiality of Medical Information Act (CMIA), alleging Rite Aid failed to take adequate measures to protect the customers’ private information and prevent a data breach.

Rite Aid Data Breach Exposes Unencrypted Patient Information California Complaint

Case Event History

Rite Aid Data Breach Exposes Unencrypted Patient Information California Complaint

November 1, 2021

Companies have a responsibility to protect the private information that customers entrust to them. But Rite Aid Corporation also has the additional responsibility to keep private customers’ private medical information, says the complaint for this class action. The complaint brings suit under California’s Confidentiality of Medical Information Act (CMIA), alleging Rite Aid failed to take adequate measures to protect the customers’ private information and prevent a data breach.

Rite Aid Data Breach Exposes Unencrypted Patient Information California Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy