Cooperating attorneys for the American Civil Liberties Union of Rhode Island (“ACLU”) have today filed a class-action lawsuit against the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) over an August 2021 data breach at RIPTA that compromised the Social Security numbers and other personal and health care information of thousands of individuals, including many with no connection to RIPTA.
To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.
The lawsuit, filed by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips, is on behalf of two named plaintiffs – Alexandra Morelli, a URI employee, and Diane Cappalli, a since-retired RIPTA employee now living out of state – who are seeking to represent a class of more than 20,000 current and former state employees.
The class members, the lawsuit alleges, have been exposed to an “ongoing risk of fraud and identity theft which requires continued monitoring of their financial accounts, future financial footprints, their credit profiles, and their very identities.” In fact, since the breach, the suit claims that plaintiff Morelli has had to deal with fraudulent activities on some of her credit cards and unauthorized withdrawals from her bank account.
The lawsuit argues that both RIPTA and UHC did not adequately encrypt and secure the personal information from unauthorized access by third parties as required by federal standards, and were negligent in failing to properly maintain, protect, purge and safely destroy the data. The suit specifically alleges that these deficiencies violated two state laws designed to preserve healthcare confidentiality and protect against identity theft.
Among the troubling factual allegations in the complaint are the following:
• The data files provided by UHC to RIPTA included information not only for individuals insured under RIPTA’s healthcare plan but also for approximately 17,000 non-RIPTA state employees. RIPTA later revealed that roughly 5,000 additional out-of-state residents had also had their information breached.
• RIPTA formally notified individuals that their personal information had been hacked 138 days after first discovering the breach, even though state law sets a 45-day deadline for such notification.
• The notification letter failed to specify whether the individual’s breached data was limited to general personal information, such as SSNs, or also included personal health information.
• When RIPTA posted a notice about the breach on its website in December 2021, it falsely stated that the hacked data files were limited to the “personal information of our health plan beneficiaries,” when RIPTA knew that the data of non-RIPTA employees had been hacked as well.
The lawsuit seeks an award of compensatory and punitive damages; attorneys’ fees; an order requiring the defendants to pay for and provide adequate identity and credit monitoring service through a third-party vendor for ten years; and an order obliging the defendants to take numerous steps to implement and maintain a comprehensive information security program to protect the confidentiality and integrity of the personal information of the class members.
The ACLU has set up a special email address where people who wish to provide evidence of harm they have faced as a result of last year’s data breach can share it with the ACLU and the attorneys handling the lawsuit. The email address is riptadatabreach@riaclu.org.
The ACLU and attorneys in the case said today that the incident also should prompt the General Assembly to adopt even stronger statutory remedies against state agencies and healthcare providers that fail to adequately protect the confidentiality of personal data they maintain. Those remedies could include an automatic minimum award of damages to affected individuals, the imposition of hefty fines to serve as a deterrent, and free lifetime credit monitoring.
QUOTES FROM PARTICIPANTS IN THE LAWSUIT:
Plaintiff Alexandra Morelli: “In early January, I was notified about the data breach. Soon afterwards, my savings account was significantly compromised along with several of my credit cards. I spent countless hours working with local authorities, banks, and credit bureaus to try to protect my identity and personal information. To date, I am still monitoring all activities and have frozen several of my accounts. I am participating in this lawsuit in hopes to bring awareness to this issue and help others that may have been impacted or will be impacted by this data breach.”
Plaintiff Diane Cappalli: “I was deeply troubled to learn of the data breach. More than a year later, I am even more troubled that we still do not have a lot of answers about how this major violation of my privacy occurred. The thousands of current and former employees who have been affected by it deserve answers and that is why I am participating in this important lawsuit.”
ACLU of RI cooperating attorney Peter Wasylyk: “When an individual’s confidential personal and healthcare information is compromised, that individual will have to worry about the potential for identity theft which could lead to financial ruin by impacting their savings, livelihood, credit score, and access to healthcare. It can cause significant stress for the rest of that individual’s lifetime. The thousands of people whose personal information was compromised deserve a remedy for RIPTA and United Healthcare’s negligence, and we are hopeful this lawsuit will provide them some relief.”
ACLU of RI Executive Director Steven Brown: “Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ. As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”
