Further documenting the incident’s devastating and overwhelming impact, cooperating attorneys for the American Civil Liberties Union of Rhode Island (“ACLU”) have filed an amended complaint in their pending class-action lawsuit against the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) over an August 2021 data breach that compromised the Social Security numbers and other personal and health care information of more than 20,000 current and former state employees, including many with no connection to RIPTA.

The 68-page amended complaint adds eleven plaintiffs to the lawsuit as “class representatives” and describes the fraud, identity theft and hacking of bank and credit card accounts for thousands of dollars that some of them experienced after the breach, and for others the discovery that their personal information could be found on the “Dark Web,” a non-public area of the Internet that cannot be accessed through the use of standard web browsers and is often used for criminal activity, including the sale of confidential information to engage in identity theft. 

To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why – in violation of notification requirements in state law – it took over four months for RIPTA to apprise both their employees and other affected individuals that their information had been hacked. The amended complaint cites testimony provided at a legislative hearing in January 2022 at which RIPTA representatives testified but UHC representatives refused to attend. Those testifying for RIPTA acknowledged that “nothing was encrypted up to the point of the breach,” and that the breach included such data as Medicare ID numbers, providers’ names and dates of service, which could, the amended complaint states, “expose an individual’s health care history, diagnosis, condition, and treatment.” 

The lawsuit argues that neither RIPTA and UHC adequately encrypted and secured the personal information from unauthorized access by third parties as required by federal standards, and that they were negligent in failing to properly maintain, protect, purge and safely destroy the data. The suit alleges that these deficiencies violated two state laws designed to preserve healthcare confidentiality and protect against identity theft. The revised complaint also adds a number of other legal claims, including that UHC’s misrepresentation that it would maintain adequate security practices to protect from unlawful disclosure the personal medical information it collected violated the state’s Deceptive Trade Practices Act.

            Among the troubling factual allegations contained in the original complaint:

         • The data files provided by UHC to RIPTA included information not only for individuals insured under RIPTA’s healthcare plan but also for approximately 17,000 non-RIPTA state employees.  RIPTA later revealed that roughly 5,000 additional out-of-state residents had also had their information breached.

         • RIPTA formally notified individuals that their personal information had been hacked 138 days after first discovering the breach, even though state law sets a 45-day deadline for such notification. 

         • The notification letter failed to specify whether the individual’s breached data was limited to general personal information, such as SSNs, or also included personal health information.

         • When RIPTA posted a notice about the breach on its website in December 2021, it falsely stated that the hacked data files were limited to the “personal information of our health plan beneficiaries,” when RIPTA knew that the data of non-RIPTA employees had been hacked as well.  

The amended complaint does not revise the request for relief from the original filing last October: an award of compensatory and punitive damages; attorneys’ fees; an order requiring the defendants to pay for and provide adequate identity and credit monitoring service through a third-party vendor for ten years; and an order obligating RIPTA and UHC to take numerous steps to implement and maintain a comprehensive information security program to protect the confidentiality and integrity of the personal information of the class members.

The lawsuit is being handled by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips. Attorney Wasylyk said today: “We felt it was important to amend the lawsuit to give stronger voice to the individuals whose lives have been adversely affected in significant ways by this data breach. This is not an abstract concern. The time, the expense and the concerns that flow from seeing your bank account drained or your credit card hacked or learning that your personal information is in the dark corners of the Internet demand a remedy. We hope the stories told by our named plaintiffs – representing many others who have faced similar consequences from this breach – demonstrate the need for meaningful judicial relief.”

A copy of the amended complaint and background information on the suit can be found here.