RIPTA data breach linked to file wrongly stored on employee's hard drive, unions told [The Providence Journal]

Providence Journal (RI)

Hackers were able to access the personal information of thousands of state workers because a Rhode Island Public Transit Authority employee failed to delete a file from their hard drive, union representatives were told this week.

Unions representing state employees have been demanding to know why RIPTA was storing sensitive information that belonged to workers with no connection to the transit agency.

That resulted in a phone call this week that involved state officials and a coalition of unions, according to a summary of the call that was provided to The Providence Journal.

At some point in August 2020, a payroll clerk at RIPTA "downloaded a file, to pay monthly claims," the summary of the call says.

That file was "left on the [employee's] hard drive, which is not normal, and that hard drive was hacked," it goes on to state.

RIPTA was not immediately able to answer inquiries from The Journal on Friday, including whether the payroll clerk had been disciplined.

More: State senator DiPalma wants answers on how RIPTA breach happened — so there isn't a repeat

The cyberattack on RIPTA's computer systems took place in August 2021, indicating that the file sat on the clerk's hard drive for roughly a year.

What remains unclear is how the clerk was able to download that file in the first place: Was it sent in an email, or did the employee have to click a link or take other steps to access the data?

Understanding exactly how the data ended up on RIPTA's servers will be crucial for avoiding a repeat, Sen. Louis P. DiPalma, D-Middletown, has emphasized.

RIPTA previously told The Journal that the file was improperly shared with the agency by a former health insurance provider.

Blue Cross Blue Shield of Rhode Island, which currently administers the health plan for state employees, has said that it did not provide the data that was stolen in the breach.

More: Hacker hit RIPTA. Here's why over 17,000 state employees discovered their data was stolen

UnitedHealthcare, which previously managed the health plan, sent the following statement on Thursday: "We were privileged to administer the health benefits plan for the State of Rhode Island employees and their families from May 2005 through December 2019. Protecting sensitive member information is a key priority for us. Although this data breach did not affect any UnitedHealthcare system, we share public officials' interest in understanding the facts and are available to cooperate with authorities on their investigation."

More than 17,000 people were notified that their data had been accessed by hackers during the August breach. Information that was compromised included Social Security numbers, birthdates, addresses and the dates and amounts of health claims.

More: More than 5,000 people affected by security breach of RIPTA health plan. What we know

According to the summary of the union call, the breach affected people who were state or state-affiliated employees between 2013 and 2020 and who were enrolled in the state's health plan.

It's unclear if those employees' dependents were also affected, according to the call summary.

Employees enrolled only in the state's Delta Dental plan were not affected, union leaders were told.