Home A project of States Newsroom
Judge allows data breach lawsuit against RIPTA to move forward


Judge allows data breach lawsuit against RIPTA to move forward

Nov 29, 2023 | 5:03 pm ET
By Christopher Shea
Judge allows data breach lawsuit against RIPTA to move forward
The Rhode Island Public Transit Authority headquarters on Melrose Street in Providence. (Christopher Shea/Rhode Island Current)

PROVIDENCE — A class-action lawsuit against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare of New England can continue, a Rhode Island Superior Court judge decided Wednesday.

The lawsuit, filed last year by the Rhode Island Chapter of the American Civil Liberties Union (ACLU), concerns a 2021 data breach that affected as many as 22,000 state employees.

The ACLU said RIPTA and UnitedHealthcare sought to dismiss the suit because “none of the plaintiffs had standing to proceed.” However, Superior Court Judge Brian Stern ruled that allegations, which describe identity theft and hacking of bank and credit card accounts that some plaintiffs experienced after the breach, were sufficient enough for the case to continue.

RIPTA Chief Legal Counsel Steven Colantuono said in an interview Wednesday that the court’s decision was not surprising.

“At this point in time, it’s really hard to dismiss these claims when you don’t have all the facts in front of you,” he said. “It is what it is.”

Colantuono added that RIPTA hired outside counsel to provide additional feedback on the ruling before the agency decides its next course of action.

A representative for UnitedHealthcare did not respond to an immediate request for comment.

The ACLU’s lawsuit claims UnitedHealthcare wrongfully provided RIPTA with the personal and health care information of current and former state employees. Files contained Social Security numbers as well as insurance claim information on some people. 

Some of those named in the breach were victims of fraudulent transactions, according to the lawsuit.

The breach occurred in August 2021, but was not disclosed until December. State law requires notification within 45 days

The ACLU seeks compensatory and punitive damages for those affected by the breach, along with 10 years’ worth of identity and credit monitoring paid for by the defendants.

“Data breaches are here to stay and will only increase in number as hackers get more and more sophisticated, so we are pleased that we will be able to proceed with this lawsuit,” Carlin Phillips, one of the ACLU’s attorneys handling the case, said in a statement Wednesday.