ACLU of RI Sues RIPTA, UnitedHealthcare Over Healthcare Data Breach

October 26, 2022 - Attorneys with the American Civil Liberties Union (ACLU) of Rhode Island filed a class-action lawsuit against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare (UHC) New England over their handling of an August 2021 healthcare data breach that impacted thousands of individuals.

As previously reported, RIPTA suffered unauthorized access to its systems resulting in data exfiltration in August 2021. Specifically, an unauthorized party accessed files that were sent by UHC to RIPTA containing sensitive information pertaining to individuals in its state-organized health plan.

Further investigation determined that member names, birth dates, addresses, Medicare identification numbers, health plan member identification numbers, claims information, and Social Security numbers were involved in the breach.

In the aftermath of the breach, questions arose from individuals who received breach notification letters but had no connection with RIPTA at all.

“To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked,” the ACLU said in a press release.

The lawsuit, filed by cooperating attorneys for the ACLU of Rhode Island on behalf of two plaintiffs, brought up allegations about the 138-day delay between when RIPTA discovered the breach and when impacted individuals were notified, despite the state’s 45-day notification rule.

“The notification letter failed to specify whether the individual’s breached data was limited to general personal information, such as SSNs, or also included personal health information,” the ACLU noted.

In addition, “When RIPTA posted a notice about the breach on its website in December 2021, it falsely stated that the hacked data files were limited to the ‘personal information of our health plan beneficiaries,’ when RIPTA knew that the data of non-RIPTA employees had been hacked as well,” the lawsuit alleged.

The lawsuit alleged that its 20,000 potential class members are at a higher risk of fraud and identity theft as a result of the incident. One plaintiff, Alexandra Morelli, faced significant compromise that allegedly stemmed from the breach.  

“In early January, I was notified about the data breach. Soon afterwards, my savings account was significantly compromised along with several of my credit cards,” Morelli explained in a press release.

“I spent countless hours working with local authorities, banks, and credit bureaus to try to protect my identity and personal information. To date, I am still monitoring all activities and have frozen several of my accounts. I am participating in this lawsuit in hopes to bring awareness to this issue and help others that may have been impacted or will be impacted by this data breach.”

The lawsuit is seeking compensatory and punitive damages, ten years of credit monitoring for impacted individuals, and an order for the defendants to take steps to improve their security programs.

“The ACLU and attorneys in the case said today that the incident also should prompt the General Assembly to adopt even stronger statutory remedies against state agencies and healthcare providers that fail to adequately protect the confidentiality of personal data they maintain,” the ACLU stated.

“Those remedies could include an automatic minimum award of damages to affected individuals, the imposition of hefty fines to serve as a deterrent, and free lifetime credit monitoring.”