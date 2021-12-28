On Dec. 21, RIPTA posted a “Notice of Security Incident” on its website, saying someone had gained unauthorized access to some of its computer systems in early August, and files “pertaining to RIPTA’s health plan” had been exported. Those files contained names, Social Security numbers, addresses, dates of birth, and Medicare identification numbers, the notice said.

PROVIDENCE — The American Civil Liberties Union of Rhode Island is demanding to know why a Rhode Island Public Transit Authority data breach led to the release of personal health information for thousands of people, including some who have never even been on a RIPTA bus.

This week, the ACLU began receiving complaints from people who do not work for RIPTA but were notified that their personal health data had been compromised in the RIPTA data breach, ACLU of Rhode Island executive director Steven Brown wrote Tuesday in a letter to RIPTA CEO Scott Avedisian.

“Contrary to your agency’s statement that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus,” Brown wrote. “The only connection that they all seem to have is that they are, or were, state employees.”

The ACLU demanded to know why the personal health care information of non-RIPTA employees was in its computer system in the first place.

It demanded to know why it took more than 2-1/2 months for RIPTA to identify the people whose names and information were hacked, and then two more months to notify them.

And it demanded to know why the US Department of Health and Human Services website says 5,015 people were affected by this data breach, while the letter that RIPTA sent to people this week says the data breach involves 17,378 people in Rhode Island.

Brown said the ACLU realizes that data breaches are a reality and that “malicious hackers” consider personal data “a precious commodity.”

“But that is what makes all the more alarming the specifics of this incident: the time it took for affected individuals to be notified, the misleading information provided the public about it, and, most critically of all, RIPTA’s possession and storage of personal health care information that it clearly had no business having in the first place,” he wrote.

A RIPTA spokeswoman said, “We have received the letter from the ACLU, and it’s currently under review.”

Edward Fitzpatrick can be reached at edward.fitzpatrick@globe.com. Follow him on Twitter @FitzProv.