Judge denies request to dismiss data breach lawsuit against RIPTA, UnitedHealthcare

PROVIDENCE – The American Civil Liberties Union of Rhode Island Inc.’s class action lawsuit against the Rhode Island Public Transit Authority and UnitedHealthcare of New England Inc. can move forward, a Superior Court judge ruled Wednesday.

The ACLU’s lawsuit accuses RIPTA and UnitedHealthcare of New England of lax security measures and belated notification of a 2021 data breach that affected more than 20,000 current and former state employees.

The class-action lawsuit alleges that RIPTA and UnitedHealthcare failed to encrypt and secure individuals’ personal information following federal standards, and also violated two Rhode Island laws intended to safeguard medical confidentiality and protect against identity theft.

The public transit agency notified affected individuals of the breach 138 days after it was first discovered, the lawsuit states, while state law requires notification within 45 days, and RIPTA also did not specify if the compromised data included health care information in addition to personal information.

- Advertisement -

In his ruling Wednesday, Superior Court Associate Justice Brian Stern found that various claims of the plaintiffs – among them, allegations of violations of the state’s health care confidentiality law, negligence in failing to properly safeguard the data, and breach of contract-related claims for not protecting the privacy of the information that was breached – should be allowed to proceed.

Both RIPTA and UHC sought to have the lawsuit dismissed on the grounds that none of the plaintiffs had standing to proceed. However, in a 46-page ruling, Stern found that allegations describing the identity theft and hacking of bank and credit card accounts that some plaintiffs experienced after the breach were sufficient to establish standing.

“Data breaches are a pervasive problem for consumers all across the county,” said Peter Wasylyk, ACLU cooperating attorney. “This decision is important because it is the first of its kind in Rhode Island. In setting out the legal requirements for bringing a data breach claim, the ruling provides an important opportunity for our plaintiffs to vindicate their privacy rights.”