Rite Aid was one of numerous entities affected by the massive MOVEit breach. In July, they disclosed that 24,400 patients’ pharmacy information including medication names and dates of fill, prescriber information and limited insurance information was involved. They were notified by their vendor of the breach on May 31.
Now it is reportedly being sued, with plaintiffs claiming that Rite Aid was reckless and negligent in not using data encryption. From the complaint:
12. Plaintiff and Class Members have suffered injuries as a result of Defendant’s conduct. These injuries include: (i) invasion of privacy; (ii) loss of benefit of the bargain; (iii) lost time, spent on activities remedying harms resulting from the Data Breach; (iv) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; and (v) the continued and certainly increased risk to their Private Information, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remain backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the Private Information
If every victim of the MOVEit breach gets sued for negligence for not encrypting data, then…..
DataBreaches will be watching this one to see if it gets dismissed.