UPDATE: Hacking incident exposing data of 5,000+ Rhode Island state employees (ACLU response)

(see ACLU update, added to end of story)

Editor’s note: Several requests for additional information to RIPTA have gone unanswered.

The Rhode Island Public Transit Authority – RIPTA – notified thousands of people that there had been a data breach, described by the US Dept. of Health & Human Services as a “hacking/IT incident” 4 months ago that may have exposed their data. Information such as name, date of birth, health insurance information and records, and social security numbers are all implicated in the breach.

Letters were received by people who had no connection to RIPTA, either working there or using the transportation system, which has spurred requests for more information. There does not seem to be a connection to RIPTA users’ data.

As we go to publication, our late request to RIPTA has not been responded to and we will update this when that information is received.

We were told by one RIPTA employee that the breach had to do with those insured by Blue Cross Blue Shield, and in our quick check of some people who received letters, all were insured with them. Later reports indicate the data was data held by the state’s last insurer processor which was not Blue Cross. Requests for clarification to RIPTA have not been responded to.

According to an article in National Cybsersecurity News, more than 5,000 people are affected by the security breach of the RIPTA health plan.

The unauthorized access to RIPTA occurred between Tuesday, August 3rd and Thursday, August 5th. In September, RIPTA also transitioned to a “WAVE” electronic card system for its 40,000 users. However, WAVE AND RIPTA rider data is not stored in the state system.

There are approximately 12,000 state employees in Rhode Island.

NEW: Notably, while reports are that a little over 5,000 were impacted, the letter mailed out to victims was sent on the same day notification went to HHS – and that letter noted a potential 17,000 were affected.

The US Department of Health & Human Services notes there are four cases currently under investigation. They note the numbers of people impacted in the 4th column (RIPTA, 5015) – but the “Breach Investigation Date” is listed as December 21, 2021.

A portion of the letter received by those who could be impacted:

The union representing RIPTA workers – Amalgamated Transit Union – posted this on social media:

Brothers and Sisters,

During the month of August Ripta’s health care plan was hacked and some employees, retirees and family members personal information was compromised. You may receive a letter in the mail informing you of this along with free identity monitoring services and a number to call with any question you may have (855)-604-1668 .

The union is extremely disappointed to hear this news several months after the incident and is in the process of investigating this matter. We feels Ripta had an obligation to their employees when the incident occurred and they simply dropped the ball. At the very least they should have informed us of the possibility that our personal information may have been compromised, but instead it was kept from us.

The union will continue to investigate this and provide you with any updates.

In Solidarity,

Steve Sousa

A.T.U 618/618A – Secretary Treasurer

_____

Anyone who thinks their data may have been compromised can learn more by calling (855) 604-1668.

UPDATE: After several local news outlets reported on this story, and today, the ACLU released this statement:

The ACLU of RI has sent a letter today to the RI Public Transit Authority (RIPTA) demanding answers regarding an August 2021 data breach at the agency that compromised the Social Security numbers and private health care information of thousands of individuals who have no apparent connection to the agency.

Specifically, the letter demands to know why the agency had this information in the first place, why it took the agency more than two months to notify affected individuals, and why it provided misleading information to the public about the hack.

RIPTA publicly acknowledged the security breach back in August, but a notice it recently posted indicated that it involved the health care information of RIPTA personnel. In regard to the complaints received, however, the ACLU’s letter notes:

But worst – and most inexplicable – of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency.

The information compromised in the hack includes names, social security numbers and personal health information.

The letter also demands answers about why the agency has provided inconsistent and misleading information to the public about the hack:

The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it. According to the public notice posted on your website on or about December 21st about this security incident, the breach involved the “personal information of our health plan beneficiaries…”

Contrary to the statements that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus. The only connection that they all seem to have is that they are, or were, state employees. Yet nothing in RIPTA’s notice or letter explains why the personal health care information of non-RIPTA employees was in its computer system in the first place.

The letter also raises the question of why it took the agency so long to notify the affected individuals. According to the letter RIPTA sent affected individuals, the breach was identified on August 5th, but those affected by the breach were not identified until October 28, and not notified until this past week. 

The letter concludes with a request that the agency provide answers as to how and why they had this personal information of non-employees and did nothing to destroy the information when they received it. 

A copy of the letter is available here.

But the letter mailed out to victims on the 21st — the same day that information about the breach was submitted to HHS — indicated that more than 17,000 were affected.

This is a developing story