In an important preliminary victory for the privacy rights of Rhode Islanders, Rhode Island Superior Court Judge Brian Stern today rejected efforts by the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) to dismiss a pending class-action lawsuit over an August 2021 data breach that compromised the Social Security numbers and other personal and health care information of more than 20,000 current and former state employees, including many with no connection to RIPTA.

RIPTA and UHC sought to have the suit dismissed on the grounds that none of the plaintiffs had standing to proceed. However, in a 46-page ruling, the court found that allegations describing the identity theft and hacking of bank and credit card accounts that some plaintiffs experienced after the breach were sufficient to establish standing to proceed with the lawsuit.

The court also found that various claims of the plaintiffs – among them, allegations of violations of the state’s health care confidentiality law, negligence in failing to properly safeguard the data, and breach of contract-related claims for not protecting the privacy of the information that was breached – should be allowed to proceed. On the other hand, the judge rejected claims of violations of the state’s identity theft law and deceptive trade practices act on the grounds that those statutes do not authorize any private remedy for violations.

As a result of today’s decision refusing to dismiss the lawsuit, the plaintiffs will proceed with preparation of the case, including their pending motion to have it certified as a class-action lawsuit and seek relief for all who were injured by the defendants’ actions. The lawsuit is being handled by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips.

ACLU of RI cooperating attorney Peter Wasylyk's noted: "Data breaches are a pervasive problem for consumers all across the county. The Judge's decision to allow this data breach case to proceed provides a comprehensive analysis of a complex, ever-changing area of the law where there is little guidance in Rhode Island case law. This decision is important because it is the first of its kind in Rhode Island. In setting out the legal requirements for bringing a data breach claim, the ruling provides an important opportunity for our plaintiffs to vindicate their privacy rights."

ACLU of RI cooperating attorney Carlin Phillips added: "Data breaches are here to stay and will only increase in number as hackers get more and more sophisticated, so we are pleased that we will be able to proceed with this lawsuit. Equally important, however, is that state legislators pass laws that expressly authorize consumers to pursue damages in court when their data has not been properly secured. As indicated in the Court's decision, the Rhode Island Identity Theft statute fails to authorize consumers to pursue a data breach claim in court. As a tiger with no teeth, it needs to be strengthened."

A copy of the court decision and other information on the lawsuit can be found on our Morelli v. RIPTA case page, or read more about the case from in February news release.

Related Content

Court Case
Oct 24, 2022
“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ.”
  • Privacy

Morelli v. RIPTA

This class action lawsuit was filed against RIPTA and UHC over an August 2021 data breach at RIPTA that compromised the Social Security numbers and other personal and health care information of thousands of individuals, including many with no connection to RIPTA.
News & Commentary
Feb 14, 2023
morelli
  • Privacy

ACLU Expands Lawsuit Over RIPTA Breach of Personal Data of More Than 20,000 State Employees Last Year

Attorneys for the ACLU of RI have filed an amended complaint in their pending class-action lawsuit against RIPTA and UnitedHealthcare New England over an August 2021 data breach that compromised the personal and health care information of more than 20,000 current and former state employees.
News & Commentary
Dec 28, 2021
Breaking News
  • Privacy

On Heels of Public Complaints, ACLU Demands Answers from RIPTA about Breach of Personal Health Data

The ACLU of RI has sent a letter today to RIPTA demanding answers regarding an August 2021 data breach at the agency that compromised the Social Security numbers and private health care information of thousands of individuals who have no apparent connection to the agency.