Settlement Agreed to Resolve RIPTA Ransomware Attack Lawsuit
A settlement has been agreed to resolve a lawsuit against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over a 2021 ransomware attack. The ransomware attack was detected and blocked on August 5, 2021; however, the forensic investigation confirmed that hackers gained access to its network on August 3, 2021, and stole sensitive data including names, dates of birth, Social Security numbers, and health plan ID numbers. RIPTA announced the data breach on December 23, 2021. The personal information of 17,378 current and former state employees was compromised in the attack, plus the protected health information of 5,015 members of its group health plan.
The Rhode Island Attorney General received complaints from individuals about the data breach, questioning why their data had been compromised when they had not worked with or had any dealings with RIPTA. An investigation was launched, and it was confirmed that RIPTA’s previous health insurance provider, UnitedHealthcare of New England, had provided RIPTA with files containing the data of non-RIPTA employees, and that data was compromised in the attack.
A lawsuit was filed against RIPTA and UnitedHealthcare of New England in 2022 by the American Civil Liberties Union of Rhode Island (ACLU of RI) seeking compensatory and punitive damages, attorneys’ fees, 10 years of credit monitoring services, and an order from the court requiring the defendants to implement a comprehensive information security program. The lawsuit claimed the defendants were negligent as they had failed to implement appropriate data security measures and did not properly maintain, purge, and safely destroy data, in violation of the Rhode Island Identity Theft Protection Act and the Rhode Island Deceptive Trade Practices Act.
The plaintiffs believe all claims have merit and the defendants deny any wrongdoing or liability. After engaging in arms-length mediation, all parties agreed to a settlement to bring the litigation to an end to avoid the risks, uncertainty, and cost of continuing the litigation. Under the terms of the settlement, the defendants will establish a $350,000 settlement fund to cover claims, class notice costs, administration costs, and service awards. If claims exceed the amount in the settlement fund, the defendants have agreed to add no more than $25,000 to the settlement fund. State employees who had their data compromised in the incident may submit a claim for up to $1,000 to cover out-of-pocket expenses due to the data breach, up to 4 hours of lost time at $15 per hour, and up to $7,500 as reimbursement of any extraordinary losses such as identity theft and fraud. In addition, affected state employees are entitled to claim five years of free credit monitoring services, which have been valued by ACLU of RI at more than $16.4 million.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Data breach settlements are not just about providing financial compensation,” said Peter Wasylyk, ACLU of RI’s lead attorney. “No data breach settlement offering only financial compensation can undo all of the lasting negative consequences of a data breach. More importantly, data breach settlements are about equipping impacted individuals with the tools to quickly detect and address potential fraudulent activity in order to safeguard their financial well-being.”
