The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted By on Oct 26, 2022

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist