RIPTA to Resolve Ransomware Attack Lawsuit with $350,000 Settlement Fund

March 16, 2025HIPAA News0

Rhode Island Public Transit Authority (RIPTA) agreed to settle a lawsuit associated with a ransomware attack in 2021. The ransomware attack was discovered and stopped on August 5, 2021; nevertheless, the forensic investigation revealed that hackers accessed its system on August 3, 2021, and stole sensitive information such as names, birth dates, health plan ID numbers, and Social Security numbers. RIPTA reported the data breach on December 23, 2021 and mentioned that the personal data of 17,378 present and past state workers was exposed in the attack. The protected health information (PHI) of 5,015 health plan members was also exposed.

Individuals filed complaints with the Rhode Island Attorney General about the data breach. They asked how their data was affected by the ransomware attack when they had no dealings with RIPTA. The Attorney General’s office investigated the incident and discovered that RIPTA’s past medical insurance company, UnitedHealthcare of New England, had given RIPTA files that contained the information of non-RIPTA staff, and that information was exposed in the attack.

In 2022, the American Civil Liberties Union of Rhode Island (ACLU of RI) filed a lawsuit against RIPTA and UnitedHealthcare of New England seeking attorneys’ fees, actual and punitive damages, credit monitoring services for 10 years, and a court order mandating the defendants to follow a comprehensive data security plan. According to the lawsuit, the defendants were allegedly negligent since they did not employ suitable data security procedures and did not correctly manage, purge, and securely delete information, violating the Rhode Island Deceptive Trade Practices Act and the Rhode Island Identity Theft Protection Act.

The plaintiffs think their claims are right but the defendants reject any liability or wrongdoing. After the lengthy mediation, all parties arranged to end the litigation to stay clear of the risks, uncertainty, and expenses of ongoing litigation. The terms of the settlement require the defendants to create a $350,000 settlement fund to pay for claims, administration expenses, service awards, and class notice expenses. If the claims amount is more than the amount of the settlement fund, the defendants said they would add an extra $25,000 to the settlement fund. State workers whose data were compromised in the data breach can claim up to $1,000 to pay for out-of-pocket expenditures linked to the data breach, as much as 4 hours of lost time worth $15 per hour, and as much as $7,500 as a refund for any extraordinary losses like identity theft and fraud. Furthermore, impacted state workers can claim free credit monitoring services for 5 years, which the ACLU of RI valued at over $16.4 million.

Data breach settlements aren’t just about giving monetary compensation. It’s about giving affected people the tools to easily identify and deal with possible fraudulent activity to protect their financial and data security. The HIPAA law and local state privacy laws help to protect individuals’ data against the impact of data breaches.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.