health as it happens

Hacker hit RIPTA. Here's why over 17,000 state employees discovered their data was stolen - The Providence Journal

Thousands of current and former state employees learned on Monday that hackers accessed their Social Security numbers and other sensitive information during a breach of the Rhode Island Public Transit Authority's computer systems in August.

The news came as an unpleasant surprise to many state workers who have never been employed by RIPTA — or even used public transportation — and did not know that the transit agency had their personal data on file. 

As many as 17,378 people in Rhode Island were affected by the incident, according to a letter mailed to individuals whose data was compromised. 

In early August, RIPTA revealed that a "cybersecurity issue" had taken down the agency's email network and phone lines and caused problems with the "Wave" mobile app. At the time, CEO Scott Avedisian assured the public that "the primary system that RIPTA uses to store internal employee files and maintain most operations has not been affected."

Cybersecurity in RI: More than 5,000 people were affected by a security breach of RIPTA health plan. What we know

But after investigating, the agency determined that "files pertaining to the state’s health plan billing" had been taken from its computer network, RIPTA senior executive Courtney Marciano wrote in an email to The Providence Journal on Tuesday.

Those files contained "plan member names, Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers, claim amounts and dates of service for which claims were filed," Marciano said.

Why would a quasi-state transportation agency have records of when a URI professor had filed a health-insurance claim?

"The state’s previous health insurance provider sent the files to RIPTA that included this information," Marciano wrote.

RI Unemployment System: Here's why the ACLU is suing the RI labor department over facial-recognition technology

Marciano said that the files came from an insurance provider that had "administered a plan that is no longer active" but did not identify the provider.

Blue Cross/Blue Shield of Rhode Island took over the health plan for the State of Rhode Island in 2020, according to spokeswoman Jill Flaxington. She said BCBSRI was not the "previous insurance provider" in question, and that the data breached was not theirs.

UnitedHealthcare, the state's previous insurance provider, did not immediately respond to a request for comment.

No passenger payment information was compromised in the breach, according to RIPTA. Avedisian said in August that such information is not stored "in house," so it should be secure. 

But past and present state employees want to know why the agency took so long to warn people that their personal data had been compromised.

Several provided The Journal with copies of the letters they received, which say an "unauthorized party" had "exfiltrated" files from RIPTA's computer systems between Aug. 3 and Aug. 5.  "We conducted a careful review of these files and, on Oct. 28, 2021, determined they (contained) your information," the letters say.

Working in RI: Naval War College's centuries-old anchor weighing over 11,000 pounds to be restored

The letters are dated Dec. 21 — nearly two months later.

RIPTA "simply dropped the ball," Amalgamated Transit Union Local 618/618a, which represents RIPTA workers, said in a statement Monday. "At the very least they should have informed us of the possibility that our personal information may have been compromised."

Asked about the delay, Marciano said that identifying the individuals whose personal data was compromised and finding their addresses so that they could be notified was a "time and labor-intensive" process. 

The American Civil Liberties Union of Rhode Island also slammed RIPTA on Tuesday for providing "extremely misleading" information to the public about the breach. 

A notice about a "privacy Incident" quietly appeared on the transit agency's website last week, saying that RIPTA had "recently identified and addressed a security incident that involved the personal information of our health plan beneficiaries," and that hackers had removed files that pertained to "RIPTA’s health plan."

"Contrary to your agency’s statement that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus," ACLURI Executive Director Steven Brown wrote in a letter. "The only connection that they all seem to have is that they are, or were, state employees."

Brown also pointed to another discrepancy: According to the U.S. Department of Health and Human Services' online database of data breaches, the incident affected 5,015 people.

But the letter mailed out to victims on the 21st — the same day that information about the breach was submitted to HHS — indicated that more than 17,000 were affected. 

RIPTA did not immediately provide an explanation for the discrepancy.

In his letter, Brown questioned why RIPTA had those individuals' personal data in the first place.

"Assuming that the information was somehow inadvertently provided to RIPTA by a health care provider, how and why did RIPTA not realize this error, notify the provider and immediately delete all this personal information?" he wrote.

This story has been updated with additional information from Blue Cross Blue Shield of Rhode Island.