On March 10, the American Civil Liberties Union of Rhode Island announced a proposed settlement of $350,000 for a class action lawsuit against Rhode Island Public Transit Authority and UnitedHealthcare New England, according to a press release from the organization.
The lawsuit was born out of an alleged data breach at RIPTA in August 2021 which compromised the personal and health information of over 19,000 state and RIPTA employees.
The proposed settlement will be considered for approval by R.I. Superior Court Judge Brian Stern on March 31.
The settlement aims to address data security concerns for people impacted by the breach, with members of the class action lawsuit being offered financial compensation from the settlement fund. Those who filed complaints can be compensated up to $1,000 for out-of-pocket costs like bank fees and card replacements, up to four hours of lost time at a rate of $15 per hour and up to $7,500 for “extraordinary losses” caused by fraud or identity theft, according to the press release.
“In addition to the monetary settlement, all the class members have been offered five years of free credit monitoring, the aggregate value of which is in the millions of dollars,” Steven Brown, executive director of the American Civil Liberties Union of Rhode Island, wrote in email to The Herald.
The long-term credit monitoring provision “will enable individuals to continuously monitor their credit and, if needed, take swift action against potential fraud,” said Peter Wasylyk, one of the attorneys who filed the lawsuit, in a press release.
But no settlement “can undo all of the lasting negative consequences of a data breach,” he added.
According to Steven Brown, UnitedHealthcare was involved in the lawsuit because they shared non-RIPTA state employees’ personal information with RIPTA, causing this information to be compromised in the data breach.
The proposed settlement is “mutually-agreeable,” said Christopher Durand, chief executive officer of RIPTA.
With the impending settlement of the lawsuit, RIPTA is committed to preventing future data breaches, according to Cristy Raposo Perry, RIPTA’s director of communications and public outreach.
“We have taken steps to strengthen our information security processes, including further enhancing our security protocols, document handling practices, and cybersecurity training for our employees,” she wrote in an email to The Herald.
As part of the settlement agreement, RIPTA has delivered confidential information to the ACLU about how it is further improving its cybersecurity, Steven Brown said.
“RIPTA has done the best they can in this world where data breaches are part of our reality,” Amy Glidden, co-coordinator of the Rhode Island Transit Riders advocacy group, wrote in an email to The Herald. She added that the data breach “is not a big issue for the rider community” and that riders are primarily focused on securing full funding for RIPTA in lieu of the organization’s $32.6 million budget deficit.
But not everyone is satisfied with the settlement.
“I do not believe this amount is enough,” Rep. Robert Phillips (D-Woonsocket, Cumberland) wrote in an email to The Herald, considering the “sheer number of people whose information was available during the breach and the time each had to take to secure it.”
Phillips is currently sponsoring H-5301, which seeks to amend the Identity Theft Protection Act of 2015, Rhode Island’s data breach law. The proposed changes would shorten the time companies have to notify those affected by data breaches, Phillips explained.
Currently, companies in Rhode Island are also not required to notify affected individuals if their data is breached unless at least 500 people are affected. This law aims to eliminate that minimum.
The act was previously amended in 2023 — two years after RIPTA’s data breach occurred — but the issue has received increased attention following the RIBridges data breach last December.
The ACLU of Rhode Island “will support efforts by the General Assembly to strengthen the state’s identity theft law,” Steven Brown said.
Pavani Durbhakula is a senior staff writer and photographer. She is a first-year from DC and plans to study IAPA and Public Health. In her free time, she enjoys baking, reading, and searching for new coffee shops.
