ACLU files lawsuit against RIPTA, United Healthcare over data breach

Updated at 2:31 p.m.

PROVIDENCE – Earlier this year, Alexandra Morelli received a distressing notification: Her personal data had been compromised in an August 2021 cyberattack on the Rhode Island Public Transit Authority that also breached UnitedHealthcare of New England Inc. data shared with the agency.

Shortly afterwards Morelli, a University of Rhode Island employee who says she has no ties to RIPTA, began noticing suspicious activity on her bank account.

“Within a period of a few weeks, there were fraudulent withdrawals totaling thousands of dollars for my personal savings account, and several of my credit cards had fraudulent activity,” Morelli said, speaking at a press event on Tuesday morning.

Morelli is one of more than 20,000 current and former state employees affected by this data breach, according to an estimate by the American Civil Liberties Union of Rhode Island.

- Advertisement -

The state’s ACLU chapter on Tuesday announced it will file a lawsuit against RIPTA and UnitedHealthcare, alleging that lax security measures and belated notification led to this breach.

The class-action lawsuit alleges that RIPTA and UnitedHealthcare failed to encrypt and secure individuals’ personal information in accordance with federal standards, and also violated two Rhode Island laws intended to safeguard health care confidentiality and protect against identity theft.

An organization as large as UnitedHealthcare failing to adequately encrypt personal information is particularly “incomprehensible,” said Steven Brown, director of the ACLU of R.I.

Additionally, the ACLU alleges that RIPTA violated state law requiring timely notification of the breach to those affected.

On Tuesday afternoon, RIPTA spokesperson Barbara Polichetti said that the agency had “not been notified of or served with a lawsuit from the ACLU of R.I.,” and declined to comment. Polichetti did not address a question on why RIPTA had personal and health care information for non-RIPTA employees.

“Protecting member privacy is a top priority and we continue to work with multiple parties to understand the data breach that impacted the Public Transit Authority’s computer system,” said UHC spokesperson Sarah Mann. “We were privileged to serve the state of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter.”

The transportation agency notified affected individuals of the breach 138 days after it was first discovered, the lawsuit states, while state law requires notification within 45 days, and also did not specify if the compromised data included health care information in addition to personal information.

Morelli, the lawsuit’s lead plaintiff, is filing the complaint alongside retired RIPTA employee Diane M. Cappalli and “on behalf of all others similarly situated,” according to court documents.

Due to this alleged mishandling, the ACLU says that those affected now experience “ongoing risk of fraud and identity theft which requires continued monitoring of their financial accounts, future financial footprints, their credit cards and their very identities.”

Morelli has since remedied the initial fraudulent activity with her bank, she said, but worries that cybercriminals responsible for the breach will continue to target her account.

And fixing the unauthorized charges required significant effort, she says, noting that a RIPTA hotline and state and local authorities did not offer the help she needed.

“I spent countless hours navigating a dysfunctional system without any assistance to undo the damage caused and prevent further damage,” Morelli said.

The ACLU is also questioning how and why UnitedHealthcare provided personal and health care information for non-RIPTA state employees to the agency.

“For the individuals who have been harmed by the data breach, I think one of the most striking things to me and one of the other reasons for the lawsuit is to get answers as to how this happened,” Brown said. “It has been more than a year since this breach occurred, yet we still don’t have the answers to many basic questions about this incident.”

(UPDATED throughout with new details, comment.)

(UPDATE: Comment from RIPTA added in 9th paragraph)

(UPDATEL Comment from UnitedHealthcare of New England added in 10th paragraph) 

Jacquelyn Voghel is a PBN staff writer. You may reach her at