Judge Stern Allows Lawsuit Over RIPTA Breach of 20K State Employees' Data to Move Forward

Judge Stern Allows Lawsuit Over RIPTA Breach of 20K State Employees' Data to Move Forward

Rhode Island Superior Court Judge Brian Stern on Wednesday issued a decision rejecting efforts by the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) to dismiss a pending class-action lawsuit over an August 2021 data breach that compromised the Social Security numbers and other personal and healthcare information of more than 20,000 current and former state employees, including many with no connection to RIPTA.

RIPTA and UHC sought to have the suit dismissed on the grounds that none of the plaintiffs had standing to proceed. However, in a 46-page ruling, the court found that allegations describing the identity theft and hacking of bank and credit card accounts that some plaintiffs experienced after the breach were sufficient to establish standing to proceed with the lawsuit.

According to the ACLU, "the court also found that various claims of the plaintiffs – among them, allegations of violations of the state’s health care confidentiality law, negligence in failing to properly safeguard the data, and breach of contract-related claims for not protecting the privacy of the information that was breached – should be allowed to proceed.  On the other hand, the judge rejected claims of violations of the state’s identity theft law and deceptive trade practices act on the grounds that those statutes do not authorize any private remedy for violations."

GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST

As a result of the decision refusing to dismiss the lawsuit, the plaintiffs will proceed with the preparation of the case, including their pending motion to have it certified as a class-action lawsuit and seek relief for all who were injured by the defendants’ actions. The lawsuit is being handled by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips.

Wasylyk said, “Data breaches are a pervasive problem for consumers all across the county. The Judge's decision to allow this data breach case to proceed provides a comprehensive analysis of a complex, ever-changing area of the law where there is little guidance in Rhode Island case law.  This decision is important because it is the first of its kind in Rhode Island. In setting out the legal requirements for bringing a data breach claim, the ruling provides an important opportunity for our plaintiffs to vindicate their privacy rights.”

ACLU of RI cooperating attorney Carlin Phillips added: “Data breaches are here to stay and will only increase in number as hackers get more and more sophisticated, so we are pleased that we will be able to proceed with this lawsuit. Equally important, however, is that state legislators pass laws that expressly authorize consumers to pursue damages in court when their data has not been properly secured.  As indicated in the Court's decision, the Rhode Island Identity Theft statute fails to authorize consumers to pursue a data breach claim in court.  As a tiger with no teeth, it needs to be strengthened.”  

 

BACKGROUND INFORMATION ON MORELLI V. RIPTA PROVIDED BY ACLU

To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why – in violation of notification requirements in state law – it took over four months for RIPTA to apprise both their employees and other affected individuals that their information had been hacked. The amended complaint cites testimony provided at a legislative hearing in January 2022 at which RIPTA representatives testified but UHC representatives refused to attend. Those testifying for RIPTA acknowledged that “nothing was encrypted up to the point of the breach,” and that the breach included such data as Medicare ID numbers, providers’ names and dates of service, which could, the amended complaint states, “expose an individual’s health care history, diagnosis, condition, and treatment.” 

 

            Among some of the troubling factual allegations contained in the complaint:

         • The data files provided by UHC to RIPTA included information not only for individuals insured under RIPTA’s healthcare plan but also for approximately 17,000 non-RIPTA state employees.  RIPTA later revealed that roughly 5,000 additional out-of-state residents had also had their information breached.

         • RIPTA formally notified individuals that their personal information had been hacked 138 days after first discovering the breach, even though state law sets a 45-day deadline for such notification. 

         • The notification letter failed to specify whether the individual’s breached data was limited to general personal information, such as SSNs, or also included personal health information.

         • When RIPTA posted a notice about the breach on its website in December 2021, it falsely stated that the hacked data files were limited to the “personal information of our health plan beneficiaries,” when RIPTA knew that the data of non-RIPTA employees had been hacked as well.