Rhode Island Attorney General Peter Neronha told The Providence Journal on Thursday that he is going to open an investigation into a data breach involving the Rhode Island Public Transit Authority (RIPTA). This comes after outrage grew this week over the agency's handling of the incident.
Neronha's office told the news outlet that they are receiving a high number of calls about the incident, prompting them to look into what happened.
On December 21, RIPTA sent out a notice saying that August 5 was when it first identified a "security incident." RIPTA eventually discovered that data was exfiltrated from their systems between August 3 and August 5. The files contained information about RIPTA health plans and included Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers, and claims information.
The US Department of Health and Human Services breach website indicates that 5,015 people were affected.
Earlier this week, the ACLU of Rhode Island asked RIPTA to explain why the personal information of people with no connection to the agency was included in the data breach.
Local ACLU chapter executive director Steven Brown says his chapter has received complaints from people who got letters from RIPTA notifying them that their personal data, including personal health care information, was accessed in a security breach of RIPTA's computer systems.
"According to the letter, the breach was identified on August 5th, but it was purportedly not until October 28th -- over two and a half months later -- that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals," Brown wrote.
The letters reveal that the number of victims listed on the US Department of Health and Human Services website (5,015) does not match the number in the breach notices sent to victims: 17,378 people.
"Worst -- and most inexplicable -- of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information -- much less their personal health care information -- in the first place, as they have no connection at all with your agency," Brown added.
The ACLU also said that RIPTA was not being transparent about the breach, noting that RIPTA's public statements about the incident are very different than the letters being sent to victims. RIPTA's initial statement implied that those affected were only the beneficiaries of RIPTA health plans.
"Based on the complaints we have received, this is extremely misleading and seriously downplays the extensive nature of the breach. Most importantly, it ignores, and fails to address, a host of questions regarding how the information that was hacked was in RIPTA's hands in the first place," Brown wrote.
RIPTA senior executive Courtney Marciano told ZDNet that the state's previous health insurance provider sent the files that included the sensitive information of those not working for RIPTA.
Marciano added that RIPTA only mailed out notification letters to individuals whose personal information was contained in the files (which are from a provider who administered a plan that is no longer active) and accessed by the hackers.
The Providence Journal noted that RIPTA previously used UnitedHealthcare but now uses Blue Cross/Blue Shield of Rhode Island.
"Upon discovering this incident, RIPTA worked diligently to verify all individuals (both internal RIPTA employees, as well as individuals outside of the agency) whose personal information was in the files that were accessed or infiltrated by an unauthorized party. After the analysis was complete, RIPTA searched its records and identified address information for those individuals," Marciano said.
"This process was time and labor-intensive, but RIPTA wanted to be certain what information was involved and to whom it pertained. No passenger information was compromised."
The situation caused even more outrage when Rep. Edith Ajello told The Providence Journal that her information was involved in the breach despite her never having been on a RIPTA bus in "almost a decade."
Ajello explained that when she pressed RIPTA to explain why her information was involved, she was told that UnitedHealthcare sent RIPTA "all state employees' health claims." This allegedly forced the agency to effectively sort through the entire batch to figure out which claims were from RIPTA employees.
The Attorney General will now investigate whether RIPTA violated Rhode Island's Identity Theft Protection Act of 2015, which gives government agencies 45 days to report a breach. It took RIPTA more than two months to notify victims.