The former girlfriend of a Crystal police lieutenant charged last year with illegally using state driver's licenses databases to track down her personal information is now suing the man and the city for which he used to work.

In a civil complaint filed in federal court, Sonia Sorto alleges that Derrick Hacker improperly accessed the Minnesota Driver and Vehicle Services (DVS) database on 60 separate occasions in 2019 and 2021 — sometimes up to 12 times in a day — to gather information he used to stalk her.

Ramsey County prosecutors in April 2022 charged Hacker with 12 gross misdemeanor and six misdemeanor counts including misconduct by a public officer, unauthorized penetration of a computer security system and violation of the state data practices act. The case is still pending.

Mark Hodkinson, an attorney for Hacker, said Thursday that his client "denies the allegations and intends to vigorously defend the lawsuit."

Susan Tindal, an attorney representing the city of Crystal in the case, said in a statement to the Star Tribune on Thursday that the city denies the allegations against it in the complaint.

"When the City was alerted to possible violations by Defendant Hacker, they took appropriate steps to investigate the matter," Tindal said. "All Crystal Police Officers are trained in proper use of law enforcement data bases."

A message was left seeking comment from attorneys representing Sorto. Crystal Police Chief Stephanie Revering said that Hacker's last date of employment with the department was Oct. 31, 2022.

According to the complaint, a woman first contacted Crystal police in June 2021 to complain that Hacker had unexpectedly shown up at her former boyfriend's home a day earlier asking the whereabouts of Sorto. Hacker allegedly said he was investigating an identity theft case involving Sorto. The person was suspicious because they knew Hacker had previously dated Sorto for two years.

Crystal's deputy police chief later found in Hacker's desk several handwritten notes related to Sorto, including phone numbers and a printout of driver's license and vehicle information Hacker retrieved from a secure website belonging to the DVS.

A Minnesota Bureau of Criminal Apprehension (BCA) criminal investigation determined that Crystal police had no open identity theft cases involving Sorto. She told the BCA that Hacker would show up periodically at her house unannounced. She hadn't spoken to him since 2017 and had moved several times since then. She said she reported no identity theft cases to police.

As part of the BCA's criminal investigation, Hacker did not deny making the database queries but said he had been following up on a tip-line call to the Police Department about stolen mail and identity theft. The BCA searched all records for Sorto and found no such cases linked to her, nor did the investigation yield such hits in a scan of recent tip-line calls.

Hacker's attorney told the investigator that he had been working on a voter fraud case, but the BCA again could not find police records of any such cases involving Sorto.

Hacker held six different job titles with the Crystal Police Department between 1999 and 2022 before he was charged criminally last year. He testified in several high-profile criminal cases, including the trial of Mohamed Noor, the Minneapolis police officer who was convicted in 2019 of the fatal shooting of Justine Ruszczyk Damond.

Sorto is seeking $2,500 in damages from Hacker and the city of Crystal per each violation of the Driver's Privacy Protection Act (DPPA). Hacker would sometimes improperly look up Sorto's personal information up to a dozen times per day, the lawsuit alleges.

Sorto's attorneys wrote in the complaint the city of Crystal's "failure to properly oversee access to and usage of the DVS database by ... Hacker has left her embarrassed, upset, and confused by these multiple intrusions into her private driver's license data" in violation of the DPPA.

The complaint said that the city of Crystal is "vicariously liable" for Hacker's actions "because it knowingly gave him access to protected information for purposes not permitted under the DPPA, and that information was later specifically used by ... Hacker for the very harms that the DPPA sought to prevent, namely, to stalk a former 'romantic' interest."

High-profile breaches of the state's DVS database date back more than a decade, and have resulted in millions of dollars in settlement payouts for Minnesotans whose protected information was accessed by law enforcement or others. A 2013 state audit found common misuse of such data.