PROVIDENCE – A settlement has been reached between the American Civil Liberties Union of Rhode Island Inc., the R.I. Public Transit Authority and UnitedHealthcare of New England in the ongoing class-action legal battle over a data breach in 2021.
Additionally, ACLU cooperating attorney Peter Wasylyk filed a proposed settlement, which will be heard in R.I. Superior Court on March 31.
The suit dates back to October 2022 when the ACLU filed the complaint in Superior Court against RIPTA and UnitedHealthcare, alleging that lax security measures and belated notification led to the 2021 breach that affected more than 20,000 current and former state employees. The class-action lawsuit alleges that RIPTA and UnitedHealthcare failed to encrypt and secure individuals’ personal information following federal standards, and also violated two Rhode Island laws intended to safeguard medical confidentiality and protect against identity theft.
In November 2023, R.I. Superior Court Associate Justice Brian P. Stern denied the defendants’ dismissal request and allowed the case to move forward.
Wasylyk told Providence Business News on Monday that a preliminary approval hearing is held by the court after settlements are reached in class-action cases to start finalizing details. Then in approximately four months, a final approval hearing will be held where the judge will hear all class responses to seal the deal, Wasylyk said.
The proposed settlement filed on Monday includes RIPTA and UnitedHealthcare creating a settlement fund and various settlement amounts for impacted individuals. If approved by the court, RIPTA and UnitedHealthcare will establish a $350,000 settlement fund, with possibly adding $25,000 more if claims exceed that amount, as financial compensation to those class members seeking relief.
Class members can also potentially claim up to $1,000 for unreimbursed breach-related out-of-pocket expenses. Such expenses include bank fees, card replacement costs, identity document fees and credit monitoring services purchased since the breach occurred, the ACLU said.
Also, the proposed settlement includes class members possibly claiming up to $7,500 for documented “extraordinary losses” resulting from identity theft, fraud, false tax returns or other misused personal information from the breach. Claimants can also get five years of free credit monitoring, valued at $840, the ACLU said.
“Data breach settlements are not just about providing financial compensation. No data breach settlement offering only financial compensation can undo all of the lasting negative consequences of a data breach,” Wasylyk said. “More importantly, data breach settlements are about equipping impacted individuals with the tools to quickly detect and address potential fraudulent activity in order to safeguard their financial well-being.”
(UPDATED throughout with minor edits.)
James Bessette is the PBN special projects editor, and also covers the nonprofit and education sectors. You may reach him at Bessette@PBN.com. You may also follow him on X at @James_Bessette.
