A massive data breach at the Rhode Island Public Transit Authority (RIPTA) has finally reached a potential resolution. The August 2021 breach exposed sensitive information of over 20,000 individuals, including Social Security numbers and healthcare data. Weirdly enough, it affected many state employees who never even worked for RIPTA. Russian hackers got their hands on all of it.
The ACLU of Rhode Island didn’t waste time. They filed a class-action lawsuit in 2022 against both RIPTA and UnitedHealthcare New England. Their claim? Blatant negligence in protecting and destroying data. Judge Brian Stern wasn’t buying the defendants’ attempts to dismiss the case. The judge specifically found sufficient legal standing based on the plaintiffs’ identity theft and hacking claims.
Now there’s a settlement on the table. RIPTA and UHC are coughing up $350,000, with another possible $25,000 if needed. That’s right, the maximum payout for exposing thousands of people’s private information is capped at a measly $375,000. The court still needs to approve it, with a hearing set for March 31, 2025.
What’s in it for the victims? Up to $1,000 for out-of-pocket expenses, a whopping $15 per hour for up to 4 hours of lost time, and possibly $7,500 for “extraordinary losses.” Oh, and five years of one-bureau credit monitoring. How generous. The retail value of this monitoring service is estimated at $840 per member.
The 12 named plaintiffs will each receive $1,500. RIPTA also promised to improve their data protection. Because clearly, they needed a lawsuit to figure that out. This case highlights why risk assessments are vital for identifying vulnerabilities before they lead to costly breaches.
This case is making history as the first of its kind in Rhode Island. It highlights the sorry state of consumer protection laws and raises serious questions about data security in public agencies.
Will this settlement actually prevent future breaches? Probably not. But it does show that organizations are being held somewhat accountable for their data blunders.
The settlement covers about 19,000 affected individuals, which breaks down to roughly $18 per person. Not exactly life-changing money for having your identity compromised.
