Morelli v. R.I. Pub. Transit Auth.

• Docket Number: C. A. PC-2022-6145
• Decision Date: 29 November 2023
• Parties: ALEXANDRA MORELLI, DAVID NOVSAM, AUDREY SNOW, BETTY J. POTENZA, NORMAN R. PLANTE, EILEEN BOTELHO, GARY RUO, DAVID A. ROSA, ROBIN KULIK, CARONAH CASSELL-JOHNSON, SHEILA M. GALAMAGA, CAITLYN LAMARRE, and DIANE M. CAPPALLI, individually and on behalf of all others similarly situated, Plaintiffs, v. RHODE ISLAND PUBLIC TRANSIT AUTHORITY and UNITEDHEALTHCARE OF NEW ENGLAND, INC., Defendants.
• Court: Rhode Island Superior Court

1

ALEXANDRA MORELLI, DAVID NOVSAM, AUDREY SNOW, BETTY J. POTENZA, NORMAN R. PLANTE, EILEEN BOTELHO, GARY RUO, DAVID A. ROSA, ROBIN KULIK, CARONAH CASSELL-JOHNSON, SHEILA M. GALAMAGA, CAITLYN LAMARRE, and DIANE M. CAPPALLI, individually and on behalf of all others similarly situated, Plaintiffs,
v.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY and UNITEDHEALTHCARE OF NEW ENGLAND, INC., Defendants.

C. A. No. PC-2022-6145

Superior Court of Rhode Island, Providence

November 29, 2023

For Plaintiffs: Peter N. Wasylyk, Esq.

For Defendants: Brian J. Lamoureux, Esq.; William J. Lynch, Esq.

DECISION

STERN, J.

Before the Court are (1) Defendant UnitedHealthcare of New England, Inc.'s (UHC) Motion to Dismiss Plaintiffs Alexandra Morelli (Morelli), David Novsam (Novsam), Audrey Snow (Snow), Betty J. Potenza (Potenza), Norman R. Plante (Plante), Eileen Botelho (Botelho), Gary Ruo (Ruo), David A. Rosa (Rosa), Robin Kulik (Kulik), Caronah Cassell-Johnson (Cassell-Johnson), Sheila M. Galamaga (Galamaga), Caitlyn Lamarre (Lamarre), and Diane M. Cappalli's (Cappalli) (collectively, Plaintiffs) Amended Complaint; and (2) Defendant Rhode Island Public Transit Authority's (RIPTA) Motion to Dismiss Counts 1 and 3 of Plaintiffs' Amended Complaint. Jurisdiction is pursuant to Rule 12 of the Superior Court Rules of Civil Procedure.

2

I

Facts and Travel

By way of background, Morelli is a Rhode Island resident employed by the University of Rhode Island. (Am. Compl. ¶ 15.) Novsam is a Rhode Island resident employed by RIPTA. Id. Snow is a Rhode Island resident employed by the State of Rhode Island (the State). Id. Potenza is a Rhode Island resident employed by the State. Id. Plante is a Rhode Island resident employed by the Rhode Island Department of Corrections (the DOC). Id. ¶ 16. Botelho is a Massachusetts resident employed by the Rhode Island Department of Elementary and Secondary Education (RIDE). Id. Ruo is a Rhode Island resident and a retiree from the DOC. Id. Rosa is a Rhode Island resident employed by Rhode Island College. Id. Kulik is a Rhode Island resident and a retiree from the DOC. Id. Cassell-Johnson is a Rhode Island resident employed by the State. Id. ¶ 17. Galamaga is a Rhode Island Resident employed by RIDE. Id. Lamarre is a Rhode Island resident employed by the Rhode Island Department of Human Services. Id. Cappalli is a Florida resident and a retiree from RIPTA. Id. RIPTA is a quasi-governmental entity located in Providence, Rhode Island. Id. ¶ 18. UHC is a Rhode Island corporation having its principal place of business in Warwick, Rhode Island. Id. ¶ 19.

The State provides health insurance to its employees through a self-insured health insurance plan (the State Plan). Id. ¶ 21. RIPTA provides health insurance to its employees through its own self-insured health insurance plan (the RIPTA Plan). Id. ¶ 23. For some period, UHC administered both the State Plan and the RIPTA Plan. Id. ¶¶ 5, 22, 24. On or about August 5, 2021, RIPTA identified a breach (the Data Breach) of its system between August 3, 2021 and August 5, 2021, in which RIPTA's computer systems were accessed by unauthorized persons. Id. ¶ 29. The Data Breach resulted in the downloading of about 44,000 files containing personal

3

healthcare information (PHI) and personally identifiable information (PII) of about 17,000 RIPTA and State employees and retirees. Id. ¶ 38. The PHI and PII contained "plan member names, Social Security numbers, addresses, dates of birth, Medicare information numbers and qualification information, health plan member identification numbers, healthcare claim amounts, and dates of service for which claims were filed." Id. ¶ 40. The files were supplied to RIPTA by UHC and were allegedly not adequately encrypted or secured against unauthorized access by third parties. Id. ¶ 33.

RIPTA conducted an internal investigation and, on October 28, 2021, determined that the Data Breach resulted in the unauthorized access of current and former RIPTA and State Plan members and their families' PHI and PII. Id. ¶ 37. RIPTA notified 17,378 Rhode Island residents of the Data Breach in a letter dated December 21, 2021. See generally Am. Compl. Ex. A. The letter further offered credit monitoring services through Equifax to affected persons. Id. RIPTA also posted a notice about the Data Breach online, stating that the breach was limited to personal information of health plan beneficiaries. (Am. Compl. ¶ 48.) At a State Senate oversight hearing, RIPTA announced that, in addition to the Rhode Islanders victimized by the breach, roughly 5,000 out-of-state residents' information were accessed in the Data Breach. Id. ¶ 50.

Plaintiffs allege that they received correspondence from RIPTA in December 2021 or January 2022, which notified them that their PHI and PII were compromised as a result of the Data Breach. See id. ¶¶ 74, 89, 119, 135, 156, 173, 190, 204, 221, 237, 254, 269. Plaintiffs make the following allegations as to harms they suffered thereafter:

1. Morelli alleges that after the Data Breach, she was the target of fraudulent transactions and suspicious activity on several credit cards, as well as six withdrawals from her Citizens Bank savings account totaling $29,999. Id. ¶ 78. She was forced to close

4

credit and debit accounts and put a stop on all withdrawals from her savings account, which disrupted her ability to timely pay bills through automatic withdrawals. Id. ¶ 79

2. Novsam alleges that he received an alert in October 2022 that his personal information was found on the "Dark Web," and has since received more than thirty text message alerts stating that his PII was found on the Dark Web. Id. ¶¶ 93-94. Additionally, he alleges that his wife has had credit card accounts opened in her name. Id. ¶ 95;

3. Snow alleges that, because of the Data Breach, an unknown person attempted to steal her identity by filing for a change of address, switching her address with one of Snow's doctors, and opening a credit card in her name. Id. ¶ 106. Snow maintains that this fraudulent activity occurred because her confidential information was posted and sold on the Dark Web. Id.;

4. Potenza alleges that nine unauthorized withdrawals were made from her Citizens Bank checking account between October 14, 2022 and October 20, 2022, totaling $11,658.43. Id. ¶ 121;

5. Plante alleges that, in September 2022, he received a hard inquiry on his credit report for a credit card from Premier Bank of Vegas. Id. ¶ 146. He avers that he did not apply for the card and contacted the bank to stop its issuance. Id. ¶ 147. He maintains that he submitted paperwork to remove the hard inquiry but is still waiting for his credit score to be restored. Id. ¶ 148-49;

6. Botelho alleges that, on or about July 19, 2022 or July 20, 2022, an unauthorized withdrawal in the amount of $18,000 was made from her Citizens Bank checking account to pay a Chase credit card. Id. ¶ 158. Botelho avers that she did not make such a payment and does not own a Chase credit card. Id. She also alleges that, in the fall

5

of 2022, she experienced suspicious activity on her credit cards and was forced to cancel the cards and receive new ones. Id. ¶ 159;

7. Ruo alleges that, in January 2022, Equifax notified him that his Social Security number was found on a fraudulent internet trading website. Id. ¶ 175. Ruo avers that, because of Equifax's notice, he purchased an identity theft protection plan in the amount of $180. Id. ¶ 176;

8. Rosa alleges that, after learning of the Data Breach, he purchased an identity theft monitoring service for $160. Id. ¶ 202. He further alleges that the monitoring service was renewed in January 2023 for an additional $160. Id.;

9. Kulik alleges that Credit Karma and McAfee informed Kulik that her PII was found on the Dark Web but does not allege any specific financial harms. See id. ¶ 206;

10. Cassell-Johnson alleges that, after the Data Breach, she was unable to electronically file her federal and state tax returns because a third party fraudulently filed them in her name. Id. ¶ 230. No other specific financial harms are alleged. See id. ¶¶ 220-35;

11. Galamaga alleges that, after the Data Breach, false accounts were made in Galamaga's name through Stash.^[1] Id. ¶ 239. Several wire transfers were allegedly attempted to steal funds from her checking account. Id. She further avers that her Social Security number and date of birth were compromised. Id. As a result, Galamaga was forced to close her bank account and open a different account at a new bank. Id. ¶ 240. She was also forced to discard five hundred purchased checks connected to her now-compromised bank account. Id.;

6

12. Lamarre alleges that cybercriminals attempted to wire transfer funds out of her bank account but were unsuccessful. Id. ¶ 256. However, Lamarre was forced to close her bank account and open a new one. Id. As a result, her automatic bill payments were terminated, and she incurred monetary penalties on returned payments. Id.; and

13. Cappalli does not allege financial harms from the Data Breach. See id. ¶¶ 269-272.

On October 25, 2022, Morelli and Cappalli filed a Complaint. See Docket, PC-2022-06145. On February 13, 2023, an Amended Complaint was filed adding the other Plaintiffs and sounding in, inter alia, (1) violations of the Identity Theft Protection Act, G.L. 1956 chapter 49.3 of title 11; (2) violations of the Confidentiality of Health Care Communications and Information Act, chapter 37.3 of title 5; (3) negligence; (4) breach of contract; (5) breach of implied contract; and (6) violations of the Deceptive Trade Practices Act, chapter 13.1 of title 6. See Am. Compl. On March 31, 2023, Defendants each filed Motions to Dismiss the Amended Complaint. See Docket, PC-2022-06145. Plaintiffs objected on May 30, 2023. See...