Attorney general will probe whether RIPTA's handling of data breach complied with the law [The Providence Journal]

The Rhode Island Attorney General's office is probing the Rhode Island Public Transit Authority's handling of a data breach that's affecting thousands of past and present state employees.

Kristy dosReis, a spokeswoman for Attorney General Peter Neronha, said the office was "reviewing this incident to determine whether the entities involved have complied with state laws regarding notification and safeguarding of personal information in their custody."

The attorney general's office was notified about the breach on December 23rd, dosReis said, and has been receiving a "high call volume stemming from the ongoing situation."

Data breach: More than 5,000 people affected by security breach of RIPTA health plan.

More than 17,000 people in Rhode Island were affected by an August breach of RIPTA's computer network, according to letters that victims received this week. Many of the individuals who had their personal data stolen had never worked for RIPTA or interacted with the transit agency, raising the question of why their information was on RIPTA's network.

Rep. Edith Ajello, D-Providence, told The Providence Journal that she was among the victims of the breach, and similarly wondered how RIPTA had obtained her information.

"I haven't been on a bus for almost a decade," she said.

Ajello said she sought an explanation and was told that UnitedHealthcare had been sending bills for all state employees' health claims to RIPTA — leaving it up to the transit agency to sort out which of those claims came from RIPTA employees.

UnitedHealthcare administered the health plan for state employees prior to 2020. The company did not respond to inquiries by press time.

RIPTA senior executive Courtney Marciano previously told The Journal that the data that hackers obtained had been sent to the transit agency by a "previous health insurance provider."

More: Hacker hit RIPTA. Here's why over 17,000 state employees discovered their data was stolen

She did not answer additional inquiries about who that provider was, or whether the information provided to Ajello was correct.

RIPTA has not explained why files that contained state employees' personal information — including names, addresses, dates of birth, Social Security numbers, health plan numbers, and the dates and amounts of health claims — were not deleted or destroyed.

RIPTA's handling of the breach has led to widespread confusion. Many current and former state employees were baffled when they received letters earlier this week, alerting them that their data had been stolen.

Many had never worked for RIPTA, or had any other interaction with the public transportation agency. The letters did not say that the breach had also affected employees in other branches of government, or explain why RIPTA had those employees' personal data in the first place.

Several state employees who contacted The Journal said they and their coworkers had initially assumed the letter was a scam, because it listed a processing center in Portland, Oregon, as a return address.

In an apparent effort to quell the confusion, Director of Administration James E. Thorsen sent out an email to state employees on Tuesday, confirming that RIPTA had been "the target of a recent security incident that involved the personal information of beneficiaries of the State of Rhode Island's health plans."

Thorsen also included an additional piece of information about the breach: The files that were stolen pertained to "health plan billing from about 2013 through 2015."

Rhode Island's Identity Theft Protection Act of 2015 gives government agencies 45 days to notify affected individuals about a data breach. That notification process can be delayed if it would "impede a criminal investigation," but only if requested by a federal, state, or local law enforcement agency.

But state employees affected by the RIPTA breach were in the dark until they received letters in the mail this week — stating that RIPTA had learned Oct. 28 that the hackers stole files that contained their personal information.

Those letters were dated and postmarked Dec. 21, nearly two months later. The breach itself took place at the beginning of August.

RIPTA did not respond to an inquiry about whether the delayed notification might have violated the law.

The Identity Theft Protection Act also states that agencies "shall not retain personal information for a period longer than is reasonably required" unless other laws or retention policies state otherwise.

The law carries penalties of $100 for "reckless" violations, or $200 for "knowing and willful" violations, which could add up to a fine in the millions.

©2021 www.providencejournal.com. Visit providencejournal.com. Distributed by Tribune Content Agency, LLC.