The ACLU of RI has sent a letter today to the RI Public Transit Authority (RIPTA) demanding answers regarding an August 2021 data breach at the agency that compromised the Social Security numbers and private health care information of thousands of individuals who have no apparent connection to the agency.
Specifically, the letter demands to know why the agency had this information in the first place, why it took the agency more than two months to notify affected individuals, and why it provided misleading information to the public about the hack.
RIPTA publicly acknowledged the security breach back in August, but a notice it recently posted indicated that it involved the health care information of RIPTA personnel. In regard to the complaints received, however, the ACLU's letter notes:
But worst – and most inexplicable – of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency.
The information compromised in the hack includes names, social security numbers and personal health information.
The letter also demands answers about why the agency has provided inconsistent and misleading information to the public about the hack:
The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it. According to the public notice posted on your website on or about December 21st about this security incident, the breach involved the “personal information of our health plan beneficiaries…" (emphasis added)
Contrary to the statements that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus. The only connection that they all seem to have is that they are, or were, state employees. Yet nothing in RIPTA’s notice or letter explains why the personal health care information of non-RIPTA employees was in its computer system in the first place.
The letter also raises the question of why it took the agency so long to notify the affected individuals. According to the letter RIPTA sent affected individuals, the breach was identified on August 5th, but those affected by the breach were not identified until October 28, and not notified until this past week.
The letter concludes with a request that the agency provide answers as to how and why they had this personal information of non-employees and did nothing to destroy the information when they received it.