The American Civil Liberties Union of Rhode Island (ACLU of RI) is filing a lawsuit against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) because of a data breach in August 2021 that impacted over 22,000 persons.
Based on RIPTA, it detected a cyberattack on its systems and blocked it on August 5, 2021. The investigation of the breach revealed that hackers acquired access to its system on August 3. The analysis of the files on the compromised parts of its network showed they included the information of 5,015 group health plan members, which include names, birth dates, health plan ID numbers, and Social Security numbers.
RIPTA submitted the breach report to the HHS’ Office for Civil Rights indicating that 5,015 persons were affected; nevertheless, the data of 17,378 more individuals who weren’t RIPTA staff was additionally exposed. The company sent notification letters to all impacted persons 4 months after discovering the data breach, which resulted in multiple complaints submitted to the Rhode Island Attorney General by non-RIPTA workers seeking to find out how and why RIPTA got access to their information. As per RIPTA, United Healthcare was RIPTA’s past health insurance company. The data of non-RIPTA employees were from RIPTA United Healthcare.
Plaintiffs Alexandra Morelli, an employee of URI, and Diane Cappalli, a retired employee of RIPTA filed the lawsuit. The plaintiffs only represented a class of over 20,000 persons. The lawsuit claims the plaintiffs and class members had to deal with a continuing risk of fraud and identity theft, which necessitates them to always keep track of their credit reports and financial accounts because their personal data is in the possession of cyber criminals. Morelli claims to be a fraud victim that had withdrawals from her bank account and unapproved charges on her credit cards.
The lawsuit claims the defendants were at fault for not implementing proper safety measures to safeguard sensitive worker and health plan member data, for example not encrypting data and appropriately keep, protect, delete, and securely get rid of information. These downfalls are claimed to have broken the following two state regulations in Rhode Island – The Identify Theft Protection Act of 2015 as well as the Confidentiality of Healthcare Communications and Information Act.
The lawsuit additionally stated that it took about 138 days after discovering the breach to send notifications. HIPAA requires covered entities to send notifications within 60 days of knowing about a data breach. State legislation demands sending notifications within 45 days. Additionally, the notifications did not include enough data, for example, whether Social Security numbers were compromised, and RIPTA’s website notification- released in December 2021 – was unable to state that the information of Non-RIPTA workers were likewise breached.
The legal action seeks compensatory and punitive losses, attorneys’ charges, and an order for the defendants to include the cost of enough credit monitoring and identity theft protection services, which were mentioned as 10 years. The lawsuit additionally requires the defendants to put into action and keep a complete data security program.