State senator DiPalma wants answers on how RIPTA breach happened — so there isn't a repeat [The Providence Journal]

The Rhode Island Public Transit Authority data breach that compromised thousands of state workers' personal information raises numerous questions about the state's protocols for dealing with sensitive data, according Sen. Louis P. DiPalma, D-Middletown.

Among them: Who within RIPTA received files containing personal information about state workers with no connection to the agency? Why was that data not deleted?

And do we know where else similar data might be stored on state servers?

"We're talking about 17,000 individuals that are impacted, and could be impacted for life," DiPalma said. "How do we ensure this doesn't happen again?"

RIPTA revealed in late December that hackers had obtained files that contained information including Social Security numbers, birthdates, addresses and the dates and dollar amounts of health claims. The breach took place in early August, and involved data belonging to both past and present employees who were on the state's health plan, as well as their beneficiaries.

'Reviewing this incident': Attorney general will probe whether RIPTA's handling of data breach complied with the law

That data was "incorrectly shared" with RIPTA by the state's previous health insurance provider, according to a lengthy FAQ document that was sent to state employees by the Department of Administration on Wednesday morning.

The state's current health insurer is Blue Cross/Blue Shield of Rhode Island.

A spokesman for UnitedHealthcare provided the following statement on Thursday: "We were privileged to administer the health benefits plan for the State of Rhode Island employees and their families from May 2005 through December 2019. Protecting sensitive member information is a key priority for us. Although this data breach did not affect any UnitedHealthcare system, we share public officials' interest in understanding the facts and are available to cooperate with authorities on their investigation."

Meanwhile, the office of Health Insurance Commissioner Patrick Tigue is "conducting a due-diligence review to understand the role that the state's former third party administrator for state employee health benefits is alleged to have played in producing the data that was provided to RIPTA and later stolen," Tigue's chief of staff, Cory King, wrote in an email.

DiPalma said it will be important to know exactly how the data was shared with RIPTA: Was it in an email to the transit agency, or did someone at RIPTA have to click a link to gain access?

"Neither one is good," he said — but it's context that's necessary because avoiding a repeat requires knowing more about how RIPTA acquired the data in the first place. Similarly, it's important to know how long the data was sitting on RIPTA's servers, and if it was all shared with RIPTA on one occasion or in separate incidents that span multiple years.

Hacker hit RIPTA: Here's why over 17,000 state employees discovered their data was stolen

Initially, the DOA told state workers that the compromised files appeared to contain information from 2013 to 2015. The agency has since corrected that statement, saying "the subject period of the data files extends to a currently undetermined point in early 2020."

IT officials should do a "sweep" to find out where else information like Social Security numbers is being stored, who has access to it and why it's there, DiPalma previously told The Journal.

The state's Department of Information Technology did not respond to an inquiry on Tuesday. The DOA's FAQ says that RIPTA is now "taking all necessary steps to remove all files containing state employee information," and that the state is "working closely with all parties involved" to prevent a repeat.

"Someone at some point should have raised their hands and said, 'Should I have this?'" DiPalma said. He's seeking clarity on whether there was a protocol in place that should have been followed — which might indicate that there needs to be more training so that state employees are aware of what to do if they inadvertently end up possessing sensitive data in the future.

"There's still many more questions to be answered for us to have a complete understanding of the situation, and I'll be looking to get those answers," DiPalma said.

In Providence:: Elorza proposes millions for housing, reparations in new COVID-relief fund spending plan

RIPTA has not answered questions about who received the data that was improperly shared with the agency, and why it wasn't deleted.

"As the situation continues to be examined, it is important to note that RIPTA has complied with and fulfilled all of its legal obligations and continues to cooperate fully with the attorney general's investigation," senior executive officer Courtney Marciano said in an email. "Though the event is certainly unfortunate, we are handling the situation with the extreme seriousness it requires, while taking a hard look at the security measures in place and finding any and all ways to improve them going forward."

The exact number of people whose data was stolen in the RIPTA breach has been an ongoing source of confusion.

Letters mailed out to victims state that the incident "involves 17,378 people in Rhode Island." But the Rhode Island attorney general's office was told that the files contained personal information from "over 12,700 Rhode Island residents," spokeswoman Kristy dosReis said last week.

Winter storm watch: 4 to 6 inches of snow likely Friday, heavy during morning commute

A third number can be found on the U.S. Department of Health and Human Services' online data portal, which indicates that only 5,015 people were affected by the breach.

Marciano said on Wednesday that the discrepancy reflects that "the total number of individuals whose personal health information was affected by the incident pursuant to HIPAA" was 5,015.

Rhode Island law requires people to be notified about any breach that "poses a significant risk of identity theft," so it's not limited to instances where health data was compromised and HIPAA guidelines would apply. RIPTA sent out notifications to a total of 17,378 people in accordance with that law, Marciano said.

According to the DOA, employees who received a letter saying that their personal data had been compromised are "encouraged to actively monitor for the possibility of fraud and identity theft by reviewing your credit reports and account statements for any unauthorized activity regularly," and sign up for the free credit monitoring provided by RIPTA.

Receiving a letter doesn't necessarily mean that you have been a victim of identity fraud, the guidance notes.

RIPTA did not say who would be footing the bill for the full year of Equifax credit monitoring that is being offered to people whose information was compromised.

This story has been updated to include comments from UnitedHealthcare.

©2022 www.providencejournal.com. Visit providencejournal.com. Distributed by Tribune Content Agency, LLC.