PROVIDENCE, R.I. (WPRI) — The American Civil Liberties Union (ACLU) of Rhode Island announced Tuesday that it’s filing a class action lawsuit against the R.I. Public Transit Authority (RIPTA) and United Healthcare (UHC) over a data breach that affected as many as 22,000 state employees.

The Aug. 2021 cyberattack, according to the lawsuit, compromised data files provided to RIPTA by UHC containing the personal and health care information of those workers, most of whom had no association with RIPTA. This exposed them to an “ongoing risk of fraud and identity theft,” the plaintiffs said.

The lawsuit alleges RIPTA and UHC were “negligent in failing to properly maintain, protect, purge and safely destroy the data” and failed to notify those affected in a timely manner.

The complaint is being filed on behalf of two named plaintiffs: Diane Cappalli, a now-retired RIPTA employee, and Alexandra Morelli, a URI employee.

Morelli spoke at a news conference held Tuesday morning by the ACLU and two of its cooperating attorneys. She said within a few weeks of the breach, fraudulent purchases were made on her credit cards and thousands of dollars were withdrawn from her personal savings account.

She also described the steps she took to report the problem and seek help, but said she was met only with frustration.

“I’m participating in this to help others that may be affected,” Morelli stated. “I’ve already done what I’ve needed to do myself, but what’s frustrating is there was no support and there continues to be no support.”

Watch: ACLU news conference on RIPTA lawsuit (story continues below)

The lawsuit seeks compensatory and punitive damages for those affected by the breach, along with 10 years’ worth of identity and credit monitoring paid for by the defendants.

But ACLU Executive Director Steven Brown and lead attorney Peter Wasylyk said it goes beyond getting relief for those state employees; they hope to get answers as to how the breach happened, why RIPTA had the personal records of thousands of employees who didn’t work for them, and why it took four months for the agency to alert those who were impacted.

“It is now more than a year since this breach occurred, yet we still don’t have answers to many basic questions about this incident,” Brown said.

“We believe it is just as important to get answers to these questions as it is to obtain legal relief for the individuals who have been victimized by this breach,” he added. “If we don’t get those answers, then we think it will be way to easy for something like this to happen again.”

An email address – riptadatabreach@riaclu.org – has been set up so claimants can share information and evidence of harm caused by the breach.

Earlier on Tuesday, a spokesperson for RIPTA told 12 News that it has “not been notified of or served with a lawsuit from the ACLU of Rhode Island” and offered no further comment.

UHC spokesperson Sarah Mann released a statement saying the provider is assisting where it can with the investigation.

“Protecting member privacy is a top priority and we continue to work with multiple parties to understand the data breach that impacted the Public Transit Authority’s computer system,” Mann wrote. “We were privileged to serve the State of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter.”

The U.S. Office of Civil Rights launched an investigation into the breach earlier this year.

Rhode Island Attorney General Peter Neronha also initiated an investigation into the data breach last December, shortly after his office was notified of the incident.

“The investigation has focused not only on the issue of the timing and adequacy of the notification of the breach to this office and to the public, but also whether United Healthcare, the former administrator of the state’s employee health benefit plan, properly safeguarded individuals’ information,” a spokesperson said in a statement.

The spokesperson said Neronha “continues to pursue all available avenues to ensure the protection of personal information in the custody of state agencies as well as accountability for failure to safeguard this information and comply with state and federal reporting requirements.”