In an important preliminary victory for the privacy rights of Rhode Islanders, Rhode Island Superior Court Judge Brian Stern today rejected efforts by the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) to dismiss a pending class-action lawsuit over an August 2021 data breach that compromised the Social Security numbers and other personal and health care information of more than 20,000 current and former state employees, including many with no connection to RIPTA.

RIPTA and UHC sought to have the suit dismissed on the grounds that none of the plaintiffs had standing to proceed. However, in a 46-page ruling, the court found that allegations describing the identity theft and hacking of bank and credit card accounts that some plaintiffs experienced after the breach were sufficient to establish standing to proceed with the lawsuit.

The court also found that various claims of the plaintiffs – among them, allegations of violations of the state’s health care confidentiality law, negligence in failing to properly safeguard the data, and breach of contract-related claims for not protecting the privacy of the information that was breached – should be allowed to proceed.  On the other hand, the judge rejected claims of violations of the state’s identity theft law and deceptive trade practices act on the grounds that those statutes do not authorize any private remedy for violations.

As a result of today’s decision refusing to dismiss the lawsuit, the plaintiffs will proceed with preparation of the case, including their pending motion to have it certified as a class-action lawsuit and seek relief for all who were injured by the defendants’ actions. The lawsuit is being handled by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips.

ACLU of RI cooperating attorney Peter Wasylyk's noted: "Data breaches are a pervasive problem for consumers all across the county. The Judge's decision to allow this data breach case to proceed provides a comprehensive analysis of a complex, ever-changing area of the law where there is little guidance in Rhode Island case law.  This decision is important because it is the first of its kind in Rhode Island. In setting out the legal requirements for bringing a data breach claim, the ruling provides an important opportunity for our plaintiffs to vindicate their privacy rights."

ACLU of RI cooperating attorney Carlin Phillips added: "Data breaches are here to stay and will only increase in number as hackers get more and more sophisticated, so we are pleased that we will be able to proceed with this lawsuit. Equally important, however, is that state legislators pass laws that expressly authorize consumers to pursue damages in court when their data has not been properly secured.  As indicated in the Court's decision, the Rhode Island Identity Theft statute fails to authorize consumers to pursue a data breach claim in court.  As a tiger with no teeth, it needs to be strengthened."

A copy of the court decision and other information on the lawsuit can be found on our Morelli v. RIPTA case page, or read more about the case from in February news release.