BREACH INVOLVED MORE THAN 19,000 STATE AND RIPTA EMPLOYEES
The American Civil Liberties Union of Rhode Island announced today that a proposed settlement has been filed in the class-action lawsuit against the Rhode Island Public Transit Authority (“RIPTA”) and UnitedHealthcare New England (“UHC”) over an August 2021 data breach at RIPTA that compromised the Social Security numbers and other personal and health care information of thousands of individuals, including many with no connection to RIPTA.
Key aspects of the proposed settlement, if approved by the court, include the following:
- RIPTA and UHC and will establish a $350,000 settlement fund, with the possible addition of $25,000 more if claims exceed that amount, as financial compensation to those class members who submit claims in the categories summarized below.
- Members of the class can claim up to $1,000 for appropriately documented, unreimbursed out-of-pocket expenses related to the data breach or efforts to mitigate its effects, such as bank fees, card replacement costs, identity document fees, and credit monitoring services purchased since the breach occurred.
- Members of the class can claim up to four hours of lost time at $15 per hour for addressing issues related to the data breach by submitting an attestation form. This can include activities like changing passwords, monitoring accounts, contacting financial institutions, signing up for fraud protection, or researching the incident and its impact. At least one hour is presumed for each claimant who submits a form.
- Members of the class may claim up to $7,500 for appropriately documented “extraordinary losses” resulting from identity theft, fraud, falsified tax returns, or other misuse of personal information caused by the data breach.
- If the total value of approved claims is either greater or less than the proposed settlement fund, payments will be reduced or increased accordingly on a pro rata basis.
- In addition, members of the class who sign up during the claims period will receive five years of free one-bureau credit monitoring that sells for a retail value of $840 per class member.
- The twelve individually named plaintiffs who represented the class may be awarded additional financial compensation and will each receive $1,500 by the Court for their service as representative plaintiffs.
A hearing is scheduled to take place on Monday, March 31st before R.I. Superior Court Judge Brian Stern to consider preliminary approval of the proposed settlement.
The lawsuit was filed by ACLU of RI cooperating attorneys Peter Wasylyk and Carlin Phillips in 2022. It argued that the defendants did not adequately encrypt and secure the personal information from unauthorized access by third parties as required by federal standards, and were negligent in failing to properly maintain, protect, purge, and safely destroy the data. The data files provided by UHC to RIPTA that were part of the breach included information not only for individuals insured under RIPTA’s healthcare plan but also for thousands of non-RIPTA state employees. The suit alleged that these deficiencies violated state laws designed to preserve healthcare confidentiality and protect against identity theft. According to the settlement agreement, RIPTA has supplied confidential information describing changes in its procedures and practices to prevent similar data breaches from occurring.
Commenting on the settlement, attorney Wasylyk stated: “Data breach settlements are not just about providing financial compensation. No data breach settlement offering only financial compensation can undo all of the lasting negative consequences of a data breach. More importantly, data breach settlements are about equipping impacted individuals with the tools to quickly detect and address potential fraudulent activity in order to safeguard their financial well-being. This settlement not only offers financial compensation but, even more critically, provides long-term credit monitoring. This essential safeguard in the form of five years of free monitoring will enable individuals to continuously monitor their credit and, if needed, take swift action against potential fraud, giving them peace of mind for years to come.”
A copy of the proposed settlement agreement and background information on the suit can be found here.
