A Rhode Island Superior Court judge has declined the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare of New England’s bid to dismiss a lawsuit associated with a data breach affecting over 20,000 present and former state employees.
The class-action suit, filed by the American Civil Liberties Union (ACLU) of Rhode Island, alleges negligence by RIPTA and UHC in safeguarding and promptly notifying individuals impacted by a cyberattack in August 2021.
According to ACLU claims, the breach compromised data files containing personal information of individuals unaffiliated with the public transit agency, provided to RIPTA by UHC.
Critical to the court’s decision was the delay in informing affected state employees about the breach, which transpired four months after the incident. RIPTA attributed the delay to the identification and notification process for workers whose private information was unlawfully accessed.
RIPTA and UHC sought dismissal, asserting lack of legal standing among the plaintiffs. However, Judge Brian Stern ruled in favor of the plaintiffs, acknowledging claims of identity theft and banking account hacking experienced by some individuals, warranting continuation of the lawsuit.
Stern’s decision also upheld several claims by the plaintiffs, including alleged violations of the state’s health care confidentiality law, negligence in data protection, and breach of contract concerning privacy safeguarding.
ACLU cooperating attorney Peter Wasylyk emphasized the significance of the ruling in setting legal benchmarks for data breach claims, providing a pathway for plaintiffs to assert their privacy rights.
The lawsuit aims to secure compensatory and punitive damages for affected individuals, coupled with a decade of identity and credit monitoring funded by RIPTA and UHC.
RIPTA’s spokesperson, Cristy Raposo Perry, stated that the agency is reviewing Judge Stern’s ruling in detail following its reception.