Rite Aid data breach settlement claims: Full guide

Rite Aid data breach investigations rarely make it onto a family’s weekend to‑do list, yet a few minutes of paperwork today could translate into thousands of dollars of compensation tomorrow. A hacker working with the RansomHub gang slipped into the pharmacy chain’s network on June 6 2024 and walked away with the personal information of 2.2 million customers. Eleven months later Rite Aid has agreed to a $6.8 million settlement that pays out up to $10,000 per victim. Below is the complete playbook—what was stolen, who qualifies, how to file, and how to harden your identity profile so the same data never costs you twice.

Incident timeline and scope of exposure

Cyber thieves breached Rite Aid’s systems in the early hours of June 6 2024 and exfiltrated customer names, street addresses, dates of birth, and driver’s‑license or other government‑ID numbers collected during transactions made between June 6 2017 and July 30 2018. Rite Aid detected and closed the intrusion in roughly twelve hours, but the data was already in the attacker’s possession. A notification campaign began in July 2024. Multiple lawsuits alleging inadequate safeguards were consolidated under the case Bianucci v. Rite Aid Corporation, and a Pennsylvania federal court gave preliminary approval to a settlement in March 2025. Final approval is scheduled for July 17 2025.

No Social Security numbers, banking credentials, or prescription details were confirmed stolen, yet the remaining data set is enough to open fraudulent accounts, redirect deliveries, and pass many identity‑verification screens. The breach also followed a similar 2023 incident, a fact the complaint cites to argue that management should have upgraded defenses sooner.

Who falls inside the settlement class

Any United States resident whose information was compromised or potentially compromised in the June 2024 intrusion qualifies as a class member. Most people who meet that definition already received a breach letter or email. Customers who believe they were affected but never received notification can still participate—contact Kroll Settlement Administration at 833‑421‑7672 to confirm status. Exclusions apply to judges overseeing the case, Rite Aid’s current or former officers and directors, and those who file a formal request to opt out.

How much money each customer can claim

The $6.8 million pool funds two separate payment tracks. Victims choose one:

• Documented loss payment, up to $10,000.
• Cash fund payment, prorated with no documentation.

Documented loss payment

This option reimburses verifiable out‑of‑pocket expenses connected to the breach, capped at $10,000 per person. Acceptable proof includes bank or credit‑card statements showing unauthorized charges, invoices for credit‑monitoring subscriptions purchased after June 6 2024, or receipts for professional services such as legal counsel, identity‑restoration vendors, or notary fees. Applicants should also include a brief narrative connecting each cost to the Rite Aid incident.

Cash fund payment

Claimants who prefer a simpler route—or cannot find paperwork—can file for a one‑time cash distribution with no supporting evidence. The dollar figure will depend on how many people file and how much money remains after documented losses, legal fees, and administrative costs. Historically, similar settlements have paid between $20 and $100 for claims without documentation, but the final amount will not be known until the distribution tally closes.

Important nuance: if you attempt a documented claim but provide incomplete paperwork, the administrator automatically recategorizes it as a cash‑only claim, ensuring you still receive something rather than nothing.

Step‑by‑step claim filing

1. 1. Gather evidence (optional). Collect bank statements, receipts, and confirmation emails that prove out‑of‑pocket losses. Organize them chronologically and highlight relevant transactions.
2. 2. Complete the form. Visit the official portal, RiteAidDataSettlement.com, and select either the online submission workflow or the printable PDF. Fill in contact details exactly as they appear on your breach notice to avoid identity mismatches.
3. 3. Choose your payment type. Select “Documented Loss” or “Cash Fund.” Upload evidence if you picked the first option. The site accepts PDFs, JPEGs, and PNGs up to ten megabytes each.
4. 4. Sign and submit. Digital signatures are accepted online. If mailing, send the completed form to: Rite Aid Data Breach Settlement Administrator, c/o Kroll Settlement Administration LLC, P.O. Box 225391, New York, NY 10150‑5391.
5. 5. Note the deadline. Claims must be submitted online or post‑marked by July 7 2025.

Key dates that control your legal options

• June 6 2025 – last day to opt out or object
• July 7 2025 – claim‑filing deadline
• July 17 2025 – final approval hearing
• Within 30 days of final approval – payout distribution, barring appeals

Opting out preserves the right to file an individual lawsuit against Rite Aid, but it also forfeits settlement money. Objecting lets you voice concerns in court while remaining in the class and still receiving funds if the judge approves the package.

Security actions to take today

Rite Aid offers twelve months of free credit monitoring and identity‑theft services, which class members should activate immediately. Complement that baseline with three additional moves.

1. Freeze your credit. Contact Equifax, Experian, and TransUnion to lock files so no new credit line can be opened without a personal PIN. Freezing does not affect existing cards and can be lifted temporarily for legitimate applications.
2. Upgrade password hygiene. Create unique, randomly generated passwords for pharmacy, banking, and government portals. A reputable password manager automates the process and flags reused credentials.
3. Deploy multifactor authentication. Wherever possible, add a second factor such as a time‑based one‑time passcode or hardware key. This extra gate prevents attackers who only have your identity details from logging in.

Do I need a lawyer?

No. The settlement process is designed to be self‑service. Hiring counsel is optional and any fees you incur will not be reimbursed beyond the documented‑loss cap.

What counts as “related” expenses?

Any cost that would not have been incurred but for the breach. Examples include reissuing a driver’s license, professional credit repair, postage spent on fraud affidavits, or childcare needed to complete dispute filings.

AustralianSuper data breach and $500K theft explained: Is your retirement safe?

How will I receive payment?

The claim form asks for your preference: paper check, ACH transfer, or digital payment via PayPal or Venmo. Provide accurate account details to avoid delays.

What happens if appeals delay the final order?

Funds remain in escrow until all appeals are resolved. Previous privacy class actions suggest delays of three to nine months are possible, though not guaranteed.

Will the cash payment be taxable?

Settlement proceeds intended to reimburse actual losses are usually not taxable, but general cash awards may be. Consult a tax professional to confirm how the IRS will treat your specific payout.

Next steps for readers

First, verify whether you fall inside the settlement class by checking your mailbox for the original breach notice or contacting the administrator. Second, decide whether documenting losses is worth your time. Third, file the claim before July 7 2025. Finally, strengthen identity defenses so your data cannot be weaponized again. Mark all critical dates on your calendar, save a copy of your submission, and track the settlement website for status updates. Compensation is only half the story; a fortified security posture ensures the Rite Aid data breach becomes a one‑time inconvenience rather than a recurring drain on your wallet.