Pennsylvania sued Uber Technologies Inc. today, becoming the latest government to take legal action over the ride-hailing giant’s coverup of a data breach that affected 57 million customer and contractors in 2016.

The new suit, announced by Attorney General Josh Shapiro Monday, alleges that Uber violated Pennsylvania’s Breach of Personal Information Notification Act, a law that requires companies that experience a data breach to notify those affected within a reasonable time.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

The suit itself addresses compensation for Uber drivers specifically. Shapiro claims there are 13,500 in his state, and the lawsuit seeks payment of $1,000 for each violation, $13.5 million in total.

Pennsylvania joins a growing list of states and municipalities that have filed lawsuits against Uber. After it was reported in November that at least five states were investigating Uber over their failure to disclose its data breach, Washington became the first to file a lawsuit in later the same month, followed by the City of Chicago on the same grounds as Pennsylvania — failure to comply with its local data breach notification law.

The number may well yet grow. The Hill reported that there are now 43 states investigating Uber over the matter.

For its part, Uber said that although it was disappointed by Pennsylvania’s lawsuit, it took responsibility for the failure to disclose.

“We make no excuses for the previous failure to disclose the data breach,” Uber’s chief legal officer, Tony West said in statement. “While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or Social Security numbers, which present a higher risk of harm than driver’s license numbers.”

Photo: ell-r-brown/Flickr