PROVIDENCE — The Rhode Island Public Transit Authority and UnitedHealthcare New England would set up a $350,000 fund for victims of a RIPTA data breach under the proposed settlement of a class-action lawsuit, the American Civil Liberties Union of Rhode Island announced this past week.
The data breach affected about 22,000 people when the personal information — including Social Security numbers and Medicare identification numbers — of about 5,000 RIPTA employees and retirees, and thousands of other current, former, and retired state workers, was hacked in August 2021 through unauthorized access to RIPTA’s computer system.
A hearing is set for March 31 before state Superior Court Judge Brian Stern to consider preliminary approval of the proposed settlement.
“This settlement not only offers financial compensation but, even more critically, provides long-term credit monitoring,’’ ACLU of Rhode Island cooperating attorney Peter Wasylyk said in a statement. “This essential safeguard in the form of five years of free monitoring will enable individuals to continuously monitor their credit and, if needed, take swift action against potential fraud, giving them peace of mind for years to come.’’
RIPTA CEO Christopher Durand said the bus agency is pleased to have reached a “mutually agreeable settlement.’’
“This settlement was the product of lengthy good-faith negotiations and successful mediation efforts,’’ Durand said. “We look forward to finalizing and implementing the parties’ proposed settlement and continuing to focus on our core mission.’’
In a statement, RIPTA said it recognizes “the concern and inconvenience’’ caused by the data breach.
“RIPTA takes seriously the security and privacy of the information in our care, and we have taken steps to strengthen our information security processes, including further enhancing our security protocols, document handling practices, and cybersecurity training for our employees,’’ RIPTA said.
RIPTA has sufficient insurance coverage for all of its costs associated with the proposed settlement, spokeswoman Cristy Raposa Perry said.
In a statement, UnitedHealthcare said protecting member privacy is “a top priority’’ for the company. “While the events in question did not involve a breach of any of UnitedHealthcare’s systems, we are pleased the parties could agree on a resolution that, if approved by the court, will end this litigation,’’ UnitedHealthcare said.
Under the proposed settlement:
■ RIPTA and UnitedHealthcare will establish a $350,000 settlement fund, with the possible addition of $25,000 more if claims exceed that amount, as financial compensation to those class members who submit approved claims.
■ Members of the class can claim up to $1,000 for documented, unreimbursed out-of-pocket expenses related to the data breach or efforts to mitigate its effects, such as bank fees, card replacement costs, identity document fees, and credit monitoring services.
■ Members of the class can claim up to four hours of lost time at $15 per hour for addressing issues related to the data breach by submitting an attestation form. This can include activities like changing passwords, monitoring accounts, contacting financial institutions, signing up for fraud protection, or researching the incident and its impact.
■ Members of the class may claim up to $7,500 for documented “extraordinary losses’’ resulting from identity theft, fraud, falsified tax returns, or other misuse of personal information caused by the data breach.
■ Members of the class who sign up during the claims period will receive five years of free one-bureau credit monitoring that sells for a retail value of $840 per class member.
■ The 12 individually named plaintiffs who represented the class may be awarded additional financial compensation and will each receive $1,500 for their service as representative plaintiffs.
Wasylyk and attorney Carlin Phillips filed the class-action lawsuit in 2022, arguing that the defendants did not adequately encrypt and secure the personal information from unauthorized access by third parties as required by federal standards, and were negligent in failing to properly maintain, protect, purge, and safely destroy the data.
The data files provided by UnitedHealthcare to RIPTA that were part of the breach included information not only for individuals insured under RIPTA’s health care plan but also for thousands of non-RIPTA state employees, according to the ACLU.
The suit alleged that these deficiencies violated state laws designed to preserve health care confidentiality and protect against identity theft.
According to the settlement agreement, RIPTA has supplied confidential information describing changes in its procedures and practices to prevent similar data breaches from occurring.
Edward Fitzpatrick can be reached at edward.fitzpatrick@globe.com. Follow him @FitzProv.
