PROVIDENCE – The Donald W. Wyatt Detention Facility is facing a class-action lawsuit over a data breach last fall that compromised the private information of more than 20,000 people, including detainees, staff and vendors.
Jacob Hellested, a former job applicant to the federal prison in Central Falls, sued Wyatt this week on behalf of himself and all similarly situated people who had their information, including Social Security numbers, financial data and private health information, extracted from its internal network and posted on the dark web.
He alleges the prison neglected to safeguard their private information with the latest cybersecurity measures, and is also suing for breach of contract for allowing the lapse to occur, as well as unjust enrichment.
He asks the court to order the prison to implement security measures to protect private information and to pay for lifetime credit monitoring for people impacted by the breach, as well as unspecified damages.
“The affected class of individuals may feel the consequences of this data breach for years to come, as it has the potential to disrupt their personal and financial well-being," Hellested's lawyer, Peter N. Wasylyk, said in an email.
Wyatt expressed regret over the 2023 breach, the result of a cyberattack.
"We quickly took steps to minimize its impact, and eligible individuals are entitled to receive free credit monitoring at the facility’s expense. Because this case is currently in litigation, we have no further comment," the Donald W. Wyatt Detention Facility said in a statement Wednesday.
More: Data breach at Wyatt steals info of detainees, staff and vendors. What to know.
Number of potential victims skyrockets
Wyatt released a statement in November acknowledging that the quasi-private public prison was hacked by an unknown intruder.
At the time, the facility said “at least 1,454 detainees, 438 current and former staff, and 92 outside vendors" were affected and that their private information had been posted on the dark web.
The FBI was involved in investigating the breach, which was discovered Nov. 2.
On July 1, Wyatt officials posted an update on the prison’s website , admitting that the breach was far more sweeping than previously believed.
The number of those impacted grew to 12,890 detainees; 7,618 current, potential, and former staff; and 185 outside vendors were affected.
The information at risk included certain financial information; detainees’ medical information; current, potential, and former staff information, such as beneficiary information and disciplinary/counseling actions; vendor information; and incident reports.
The compromised data encompassed names; home addresses; cellphone numbers; birth and hire dates; job titles; workers’ compensation and unemployment information; and, “in some, but not all, instances, Social Security numbers or taxpayer identification numbers.”
Potential victims alerted to breach eight months later
According to Hellested’s complaint, he was also notified by letter July 1, 2024 that his information was exposed by the breach – namely his address, cellphone number, date of birth, and Social Security number. The suit emphasizes that he was told eight months after the prison learned it had been hacked, which did not give him an opportunity to immediately take steps to safeguard his information.
“The data breach was a direct result of defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect plaintiff(s) and class members’ private information,” the lawsuit says.
As a result, Hellested and others suffered potential losses resulting from identity theft, out-of-pocket expenses, and the value of their time spent trying to mitigate the effects of the attack. In addition, they may have to incur out-of-pocket costs for credit monitoring services, credit freezes, credit reports or other protective measures to deter and detect identity theft.
Hellested argues that Wyatt should have known to employ the latest security measures due to high-profile attacks by cyber criminals on entities nationwide.
Nation’s first publicly owned and privately operated adult correctional facility
Wyatt was established in 1993 as the nation’s first publicly owned and privately operated adult correctional facility. It is operated by the Central Falls Detention Facility Corporation and developed for use by the U.S. Marshal Service in the Northeast. It was later extended to hold detainees of the Immigration and Customs Enforcement Agency.
It houses detainees from Rhode Island, Connecticut, Massachusetts, New Hampshire, Maine and Vermont. It also houses those in the custody of the Federal Bureau of Prisons, the Navy and the Mashantucket Pequot Tribe.
It can house 770 people and includes a 40-bed unit for women.
This article originally appeared on The Providence Journal: Their information was leaked in the Wyatt data breach. Now, there's a class action lawsuit.
Most Popular
Comments / 0