Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raised the question of why RIPTA was storing data of thousands of individuals who had never worked at RIPTA.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.