Cooperating attorneys for the American Civil Liberties Union of Rhode Island (ACLU) filed a class-action lawsuit today against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach at RIPTA that compromised the Social Security numbers and other personal and health care information of thousands of individuals, including many with no connection to RIPTA.

To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.

The lawsuit, filed by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips, is on behalf of two named plaintiffs – Alexandra Morelli, a University of Rhode Island employee, and Diane Cappalli, a since-retired RIPTA employee now living out of state – who are seeking to represent a class of more than 20,000 current and former state employees.

RIPTA had no comment at this time.

The class members, the lawsuit alleges, have been exposed to an “ongoing risk of fraud and identity theft which requires continued monitoring of their financial accounts, future financial footprints, their credit profiles, and their very identities.” In fact, since the breach, the suit claims that plaintiff Alexandra Morelli has had to deal with fraudulent activities on some of her credit cards and unauthorized withdrawals from her bank account.

“I can personally speak to the stress this has caused me,” said Morelli. “Earlier this year I was notified about the data breach and since then my personal and financial information was compromised in multiple ways. Within a period of a few weeks there were fraudulent withdrawals totaling thousands of dollars from my personal savings account, and several of my credit cards had fraudulent activities and purchases… This entire experience was and continues to be anxiety provoking.”

Though Morelli has been made whole, and has gotten her money back, the time she has spent doing this has cost her at a time when she was getting married and starting a family.

The lawsuit argues that both RIPTA and UHC did not adequately encrypt and secure the personal information from unauthorized access by third parties as required by federal standards, and were negligent in failing to properly maintain, protect, purge and safely destroy the data. The suit specifically alleges that these deficiencies violated two state laws designed to preserve healthcare confidentiality and protect against identity theft.

Among the allegations in the complaint are the following:

• The data files provided by UHC to RIPTA included information not only for individuals insured under RIPTA’s healthcare plan but also for approximately 17,000 non-RIPTA state employees. RIPTA later revealed that roughly 5,000 additional out-of-state residents had also had their information breached.
• RIPTA formally notified individuals that their personal information had been hacked 138 days after first discovering the breach, even though state law sets a 45-day deadline for such notification.
• The notification letter failed to specify whether the individual’s breached data was limited to general personal information, such as SSNs, or also included personal health information.
• When RIPTA posted a notice about the breach on its website in December 2021, it falsely stated that the hacked data files were limited to the “personal information of our health plan beneficiaries,” when RIPTA knew that the data of non-RIPTA employees had been hacked as well.

The lawsuit seeks an award of compensatory and punitive damages, attorney’s fees, an order requiring the defendants to pay for and provide adequate identity and credit monitoring service through a third-party vendor for ten years; and an order obliging the defendants to take numerous steps to implement and maintain a comprehensive information security program to protect the confidentiality and integrity of the personal information of the class members.

The ACLU has set up a special email address where people who wish to provide evidence of harm they have faced as a result of last year’s data breach can share it with the ACLU and the attorneys handling the lawsuit. The email address is [email protected].

The ACLU and attorneys in the case said today that the incident also should prompt the General Assembly to adopt even stronger statutory remedies against state agencies and healthcare providers that fail to adequately protect the confidentiality of personal data they maintain. Those remedies could include an automatic minimum award of damages to affected individuals, the imposition of hefty fines to serve as a deterrent, and free lifetime credit monitoring.

A copy of the complaint and background information on the suit can be found here.