An out-of-service Rhode Island Public Transit Authority bus is stopped at Kennedy Plaza in downtown Providence in April 2024. (Photo by Christopher Shea/Rhode Island Current)
State employees whose personal data was breached in a ransomware attack on the Rhode Island Public Transit Authority’s (RIPTA) network in 2021 could be eligible for up to $7,500 in compensation, under a proposed settlement agreement recently filed in Providence Superior Court.
The American Civil Liberties Union (ACLU) of Rhode Island announced the settlement Monday to end its lawsuit against RIPTA and UnitedHealthcare New England over claims that they failed to encrypt and secure personal information for potentially as many as 19,608 current and former state employees.
That’s the number of people who received notifications that their personal information may have been exposed. However, a data breach report RIPTA was required to file with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights indicates 5,015 people were impacted.
The class-action lawsuit, filed in 2022, claims UnitedHealthcare and RIPTA violated state law requiring timely notification of the breach that files containing Social Security numbers as well as insurance claim information were illegally obtained by a third-party from the bus agency’s server.
Under the proposed settlement, RIPTA and UnitedHealthcare would establish a $350,000 settlement fund, with the possibility of an additional $25,000 if claims exceed that amount. State employees whose data was exposed can request up to $1,000 for out-of-pocket expenses made because of the breach, $15 per hour (for up to four hours) for any time lost dealing with the fallout of the 2021 hack, and up to $7,500 for any “extraordinary losses” such as identity theft or fraud.
Those affected by the data breach would also be eligible for five years of free credit monitoring. The ACLU estimates the value of the credit monitoring for all affected state employees would exceed $16.4 million.
“Data breach settlements are not just about providing financial compensation,” Peter Wasylyk, the ACLU’s lead attorney in the lawsuit, said in a statement. “No data breach settlement offering only financial compensation can undo all of the lasting negative consequences of a data breach.”
Wasylyk, a former Rhode Island state representative, is also at the center of a class-action lawsuit against Deloitte Consulting over its role in the 2024 data breach on the state’s public benefits system.
No data breach settlement offering only financial compensation can undo all of the lasting negative consequences of a data breach.
– Peter Wasylyk, the ACLU’s lead attorney in case
Some of those named in the breach were victims of fraudulent transactions, according to the lawsuit. WPRI 12 reported at the time that RIPTA paid the hackers $170,000 to get its systems back and prevent further spread of personal information.
The breach occurred in August 2021, but was not disclosed until December. State law requires notification within 30 days for state and municipal agencies. RIPTA has since updated its internal policy and practices to prevent similar data breaches, according to the March 7 court filing.
Federal regulations require agencies and organizations covered by the federal law known as HIPAA, for Health Insurance Portability and Accountability Act, to report data breaches that impact 500 or more people to HHS. RIPTA responded to the breach by retraining staff and enacting new administrative, technical and security safeguards to protect personal information, according to information listed in the HHS online portal.
‘Data retention wasn’t great’
The RIPTA breach was cited at the inaugural meeting of the Rhode Island Senate Committee on Artificial Intelligence and Emerging Technologies last month, in a presentation by Douglas Alexander, director of the Institute for Cybersecurity & Emerging Technologies at Rhode Island College.
Alexander offered the breach as a cautionary example of how state agencies can manage data poorly.
“Certainly the RIPTA breach was an instance where data retention wasn’t great, because there were employees in that database that were not even RIPTA employees,” he told senators.
RIPTA CEO Christopher Durand said he was to reach a mutually agreeable settlement.
“This settlement was the product of lengthy good faith negotiations and successful mediation efforts. We look forward to finalizing and implementing the parties’ proposed settlement and continuing to focus on our core mission,” Durand said in a statement.
A UnitedHealthcare spokesperson did not immediately respond to a request for comment.
Superior Court Judge Brian Stern is scheduled to consider preliminary approval of the ACLU’s proposed settlement on March 31.
Reporter Alexander Castro contributed to this story.
GET THE MORNING HEADLINES.