The American Civil Liberties Union of Rhode Island (ACLU of RI) has amended its complaint against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) in their pending class action lawsuit over an August 2021 data breach. RIPTA is a state agency that operates the public bus service in Rhode Island. In August 2021, an unauthorized third party gained access to its computer systems and stole files that contained sensitive employee information, including names, Social Security numbers, and other personal and health data.
RIPTA issued notifications to all affected individuals – approximately 22,000 – 4 months after the data breach; however, many individuals received notification letters who had no connection to RIPTA. It was later explained that the information of approximately 5,000 RIPTA employees was compromised, along with the data of 17,000 non-RIPTA employees. RIPTA held the data of 17,000 employees of other state agencies after the information was mistakenly sent to RIPTA by UHC.
ACLU of RI filed a lawsuit against RIPTA and UHC over the data breach, which initially named two plaintiffs: a University of Rhode Island employee and a retired RIPTA employee, both of whom had been affected by the breach. The plaintiffs represented a class of more than 20,000 individuals. The lawsuit alleges RIPTA and UHC were negligent in failing to properly maintain, protect, purge, and safely destroy data, in violation of two Rhode Island laws. Further, the notification letters did not contain sufficient information about the breach, RIPTA falsely stated on its website that only beneficiaries of its health plan had been affected, and it took 138 days after the discovery of the breach to issue notifications, in violation of state law which requires data breach notifications to be issued within 45 days.
The lawsuit alleges the plaintiffs and class members face an ongoing risk of fraud and identity theft, which requires them to continually monitor their financial accounts, future financial footprints, credit profiles, and identities. After the data breach, one of the plaintiffs experienced fraudulent use of her credit cards and unauthorized bank account withdrawals. The amended complaint adds a further eleven plaintiffs to the lawsuit as class representatives and details the harm that has been caused by the breach, which for some individuals includes losses of thousands of dollars. Some of the stolen data has also been discovered on the dark web. The amended complaint also includes details of the testimonies of RIPTA employees from a January 2022 hearing – which UHC representatives failed to attend – confirming encryption was not employed until after the data breach, and that the data breach also included Medicare ID numbers, providers’ names and dates of service. Despite the data breach occurring more than 18 months ago, it is still unclear why UHC provided RIPTA with the data of non-RIPTA employees or why it took so long for notification letters to be issued.
The lawsuit seeks compensatory and punitive damages, attorneys’ fees, 10 years of credit monitoring services, and the courts to order the defendants to implement a comprehensive information security program.
The post ACLA Expands Class Action Lawsuit Against RIPTA and UnitedHealthcare New England appeared first on HIPAA Journal.