The ACLU from Rhode Island He is filing a class action lawsuit against Rhode Island Public Transportation Authority and UnitedHealthcare New England over a The data breach that led to the breach of personal data of thousands of state employees last year.
The goal of the lawsuit is to obtain financial compensation for the victims of the August 2021 breach, as well as to “get answers about how this happened,” Stephen Brown, executive director of the American Civil Liberties Union, said Tuesday.
More than a year has passed, he noted, “and we still don’t have answers to many basic questions about the accident.”
United Healthcare did not immediately respond to a request for comment. “We have not been notified or received a lawsuit from the Rhode Island Civil Liberties Union. We have no comment at this time,” RIPTA spokeswoman Barbara Pulichetti wrote in an email.
The main plaintiffs named in the lawsuit are Alexandra Morelli, a Coventry resident who has worked at the University of Rhode Island since 2016, and Diane Caballe, who served as a scheduling coordinator for RIPTA at the time of the violation and has since retired in Florida. .
In January 2022, fraudulent transactions were made with a Morelli’s Kohl credit card, according to the lawsuit. The following month, there was suspicious activity on her Target and GAP credit card. In addition, a total of $29,999 was withdrawn from her bank account without permission in February and March.
“This whole experience has been and is very frustrating,” Morelli said at a news conference Tuesday in the Providence office of the ACLU, noting that she was in the process of planning her wedding. She said the timing of the fraudulent activity made her convinced it was linked to the data breach: “Nothing like this has happened to me before.”
In total, more than 20,000 current and former government employees have been affected by this breach.
Officials said hackers took over RIPTA’s computer system and gained access to files containing information about individuals covered by the state’s health care plan. These files contained Social Security numbers as well as health claims information for some individuals.
Previous RIPTA data breach coverage:
Earlier this year, RIPTA said the breach affected the personal health information covered by HIPAA for just over 5,000 individuals.
The files go back to the period of time the country used UnitedHealthcare to administer its healthcare plan; It has since switched to BlueCross BlueShield.
Peter Wasilek, lead attorney for the lawsuit, said it was “completely incomprehensible” that one of the country’s largest health insurance companies would have given RIPTA unencrypted data containing sensitive information.
Although the violation occurred in August 2021, state employees were first notified of the incident in December 2021. State law requires notification within 45 days. Brown said they were not notified about the specific information that was taken, and the initial notice indicated that the breach involved only RIPTA employees.
“To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took RIPTA more than four months to notify both its employees and other affected individuals that their information was press release.
The lawsuit asserts that both RIPTA and UHC failed to properly secure personal information of state employees, and did not meet the standards required by federal law. As a result, she says, plaintiffs have had to spend “a significant amount of time and effort” canceling credit and debit cards, contacting banks, monitoring financial accounts, challenging unauthorized purchases, and combating identity theft.
The ACLU has created an email address, RIPTADATABREACH@riaclu.org, for anyone affected by the breach.
“If we don’t get those answers, we think it would be very easy for something like this to happen again,” Brown said.