Rhode Island AG opens investigation into transit authority data breach after ACLU letter | ZDNet

Rhode Island Attorney General Peter Neronha told The Providence Journal on Thursday that he is going to open an investigation into a data breach involving the Rhode Island Public Transit Authority (RIPTA) after outrage grew this week over the agency’s handling of the incident.  

Neronha’s office told the news outlet that they are receiving a high number of calls about the incident, prompting them to look into what happened. 

On December 21, RIPTA sent out a notice saying that August 5 was when they first identified a “security incident” and they eventually discovered that data was exfiltrated from their systems between August 3 and August 5. The files contained information about RIPTA health plans and included Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers and claims information.

They offered victims identity monitoring services through Equifax. The US Department of Health and Human Services breach website indicates that 5,015 people were affected.

But earlier this week, the ACLU of Rhode Island asked RIPTA to explain why the personal information of people with no connection to the agency was included in the data breach.

Local ACLU chapter executive director Steven Brown said they have received complaints from people who got letters from the agency notifying them that their personal data, including personal health care information, was accessed in a security breach of RIPTA’s computer systems. 

The letter notes that the numbers from the US Department of Health and Human Services do not match those found in the breach notices sent to victims. The RIPTA notice to victims said the breach involved the information of 17,378 people in Rhode Island, according to the ACLU. 

“According to the letter, the information that was stolen included the person’s ‘name, Social Security number, and one or more of the following: address, date of birth, Medicare identification number and qualification information, health plan member identification number and claims information,'” the ACLU said.

“According to the letter, the breach was identified on August 5th, but it was purportedly not until October 28th — over two and half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals. But worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency.”

Brown added that the incident was “disturbing” and led many to be concerned about how identity thieves would use the information. 

The ACLU also charged that RIPTA was not being forthright publicly about the breach, noting that their public statements about the incident are very different than the letters being sent to victims. The initial statement implied that those affected were only the beneficiaries of RIPTA health plans. 

“Based on the complaints we have received, this is extremely misleading and seriously downplays the extensive nature of the breach. Most importantly, it ignores, and fails to address, a host of questions regarding how the information that was hacked was in RIPTA’s hands in the first place,” Brown wrote.

“Contrary to your agency’s statement that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus. The only connection that they all seem to have is that they are, or were, state employees. Nothing in RIPTA’s notice or letter explains why the personal health care information of non-RIPTA employees was in its computer system in the first place.”

RIPTA senior executive Courtney Marciano told ZDNet the state’s previous health insurance provider sent the files that included the sensitive information of those not working for RIPTA.

Marciano added that RIPTA only mailed out notification letters to individuals whose personal information was contained in the files, which are from a provider who administered a plan that is no longer active, and were accessed by the hackers. 

“Upon discovering this incident, RIPTA worked diligently to verify all individuals (both internal RIPTA employees, as well as individuals outside of the agency) whose personal information was in the files that were accessed or infiltrated by an unauthorized party. After the analysis was complete, RIPTA searched its records and identified address information for those individuals,” Marciano said. 

“This process was time and labor-intensive, but RIPTA wanted to be certain what information was involved and to whom it pertained. No passenger information was compromised.”

The Providence Journal noted that RIPTA previously used UnitedHealthcare but now uses Blue Cross/Blue Shield of Rhode Island. 

The situation caused even more outrage when Rep. Edith Ajello told the news outlet that her information was involved in the breach despite her never having been on a RIPTA bus in “almost a decade.” 

Ajello explained that when she pressed RIPTA to explain why her information was involved, she was told that UnitedHealthcare sent RIPTA “all state employees’ health claims” and forced the agency to effectively sort through the entire batch and figure out which claims were from RIPTA employees.

Director of Administration James Thorsen was forced to send an email out to all state employees about the incident because RIPTA’s initial response was causing so much confusion. Thorsen’s email, which said only those with health plan billing from 2013 to 2015 were affected, caused even more confusion because many of those who received breach notification letters were not working for the state during those years. 

The Attorney General will now look to see if RIPTA violated Rhode Island’s Identity Theft Protection Act of 2015, which gives government agencies 45 days to report a breach. It took RIPTA more than two months to notify victims.