Government data breach in Rhode Island leads to AG investigation

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Rhode Island Attorney General Peter Neronha told The Providence Journal on Thursday that he is going to open an investigation into a data breach involving the Rhode Island Public Transit Authority (RIPTA). This comes after outrage grew this week over the agency’s handling of the incident.  

Neronha’s office told the news outlet that they are receiving a high number of calls about the incident, prompting them to look into what happened. 

On December 21, RIPTA sent out a notice saying that August 5 was when it first identified a “security incident.” RIPTA eventually discovered that data was exfiltrated from their systems between August 3 and August 5. The files contained information about RIPTA health plans and included Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers, and claims information.

The US Department of Health and Human Services breach website indicates that 5,015 people were affected.

Earlier this week, the ACLU of Rhode Island asked RIPTA to explain why the personal information of people with no connection to the agency was included in the data breach.

Local ACLU chapter executive director Steven Brown says his chapter has received complaints from people who got letters from RIPTA notifying them that their personal data, including personal health care information, was accessed in a security breach of RIPTA’s computer systems. 

“According to the letter, the breach was identified on August 5th, but it was purportedly not until October 28th — over two and a half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals,” Brown wrote

The letters reveal that the number of victims listed on the US Department of Health and Human Services website (5,015) does not match the number in the breach notices sent to victims: 17,378 people.

“Worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal

Read more