RI ACLU files lawsuit over RIPTA data breach of more than 20K state employees
PROVIDENCE, R.I. (WLNE) — The ACLU of Rhode Island has filed a lawsuit against the Rhode Island Public Transit Authority and United Healthcare over a massive data breach that happened last year.
The data breach at the state agency that operates Rhode Island’s public bus service compromised the personal information, including Social Security numbers and Medicare identification numbers, of about 22,000 people — many with no connection to RIPTA. According to the ACLU’s lawsuit, they believe the incident stemmed from a data transfer between UHC and RIPTA that failed to encrypt the data sent.
Nearly 5,000 were RIPTA employees and some of the additional 17,000 were employees of other state agencies. In December, the agency mailed letters to 22,000 people.
According to the lawsuit filed by RI ACLU attorneys Peter Wasylyk and Carlin Philips, RIPTA notified individuals that their personal information had been hacked 138 days after discovering the breach. In the lawsuit, the ACLU alleges negligence against the two entities, seeking compensation and protection for affected people.
As of Tuesday, the ACLU has launched an email for people that may have been affected by the breach to reach out to for help. That email is email@example.com
“When an individual’s confidential personal and healthcare information is compromised, that individual will have to worry about the potential for identity theft which could lead to financial ruin by impacting their savings, livelihood, credit score, and access to healthcare,” said Wasylyk.
The lead plaintiff in the case, Alexandra Morelli is a URI employee who lives in Coventry. She said that around the same time as the data breach, she started to lose thousands of dollars from her savings account and noticed fraudulent activity on her credit card.
Diane Cappalli, a since-retired RIPTA employee said, “More than a year later, I am even more troubled that we still do not have a lot of answers about how this major violation of my privacy occurred.
According to the lawsuit, RIPTA falsely stated in December that the hacked data files were limited to employees when it allegedly knew that the data of non-RIPTA employees had also been hacked.
The lawsuit seeks an award of compensatory and punitive damages, an order requiring RIPTA to pay for and provide adequate identity and credit monitoring service through a third-party vendor for 10 years, and an order obliging the agency to take numerous steps to implement and maintain a comprehensive information security program.