On March 10, the American Civil Liberties Union (ACLU) of Rhode Island announced a proposed settlement of $350,000 stemming from a class action lawsuit against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England. This development follows an alleged data breach at RIPTA in August 2021, which resulted in the exposure of personal and health information affecting more than 19,000 employees from both RIPTA and the state.
The proposed settlement is set to be reviewed by R.I. Superior Court Judge Brian Stern on March 31. The aim of this settlement is not only to provide financial restitution but also to address significant concerns regarding data security for those affected. Class action members may receive compensation for various out-of-pocket expenses, including up to $1,000 for costs like bank fees, compensation for lost time capped at four hours at an hourly rate of $15, and potential payouts of up to $7,500 for “extraordinary losses” related to fraud or identity theft.
In addition to monetary compensation, the settlement package includes a provision for five years of complimentary credit monitoring for all class members, which carries a collective value in the millions of dollars. Steven Brown, executive director of the ACLU of Rhode Island, stated that this initiative provides individuals the opportunity to vigilantly monitor their credit and respond promptly to any signs of fraud. However, he also noted that no settlement can completely alleviate the lasting repercussions of a data breach.
The lawsuit implicates UnitedHealthcare for allegedly sharing personal information of non-RIPTA state employees with RIPTA, which was later compromised during the breach. Christopher Durand, CEO of RIPTA, described the proposed settlement as “mutually agreeable.” In light of this settlement, RIPTA has pledged to enhance its practices to prevent future incidents. Director of Communications and Public Outreach Cristy Raposo Perry indicated that the organization has implemented measures to strengthen its information security processes, including improved security protocols and enhanced employee training in cybersecurity.
As part of the settlement agreement, RIPTA has provided the ACLU with confidential details about the steps being taken to bolster cybersecurity measures. Amy Glidden, co-coordinator of the Rhode Island Transit Riders advocacy group, remarked that the breach seems not to be a significant concern for riders, who are primarily focused on securing full funding for RIPTA amidst its existing budget challenges.
However, reactions to the settlement have not been universally positive. Rep. Robert Phillips (D-Woonsocket, Cumberland) expressed concerns over the adequacy of the proposed amount, underscoring the broad impact on individuals whose information was compromised. In response to these ongoing cybersecurity concerns, Phillips is sponsoring legislation aimed at amending the Identity Theft Protection Act of 2015. This amendment would reduce the notification period for companies to inform those affected by data breaches and eliminate the current threshold that requires at least 500 individuals to be impacted for notifications to be mandatory.
This case exemplifies the increasing attention on data protection policies in Rhode Island, particularly following other recent breaches, including the December RIBridges incident. As organizations grapple with the realities of cybersecurity threats, the ACLU of Rhode Island has voiced its support for legislative efforts to strengthen the state’s identity theft protections, recognizing the vital need for improved cybersecurity measures.
In analyzing this breach and the associated settlement, one can identify potential tactics associated with adversary behaviors outlined in the MITRE ATT&CK framework. Techniques related to initial access, such as phishing or exploiting vulnerabilities in third-party software, could have been methods through which the attacker infiltrated RIPTA’s systems. This case underscores the critical importance of robust cybersecurity frameworks and the necessity of proactive measures to mitigate risks and protect sensitive data.
