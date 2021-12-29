On Tuesday, ACLU of Rhode Island executive director Steven Brown wrote to RIPTA CEO Scott Avedisian, demanding to know why it had taken until December to notify people about a data breach that occurred in early August. And it demanded to know why the breach involved health care information for people who had never worked at RIPTA and, in some cases, had never even been on a RIPTA bus.

But the American Civil Liberties Union of Rhode Island said the response fails to answer key questions such as why the quasi-public agency had health data about non-RIPTA employees in the first place.

PROVIDENCE — The Rhode Island Public Transit Authority on Wednesday provided some information about a data breach that compromised the personal health information for thousands of people.

Advertisement

On Wednesday morning, RIPTA senior executive officer Courtney Marciano wrote that the agency identified a “security incident” on Aug. 5 and immediately began investigating. The investigation found that files were taken from the agency’s computer network between Aug. 3 and 5, she said.

Those files involved “the state’s health plan billing,” and they contained names, Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, and claim amounts, Marciano said. The state’s previous health insurance provider had sent those files to RIPTA, she said.

“Upon discovering this incident, RIPTA worked diligently to verify all individuals (both internal RIPTA employees, as well as individuals outside of the agency) whose personal information was in the files that were accessed or infiltrated by an unauthorized party,” Marciano wrote.

After that analysis was done, RIPTA searched its records and identified address information for those affected by the data breach, she said. RIPTA then sent notification letters to people whose personal information was contained in the files and accessed by the unauthorized party, she said.

Advertisement

“This process was time and labor-intensive,” Marciano wrote, “but RIPTA wanted to be certain what information was involved and to whom it pertained.”

No passenger information was compromised, she said.

On Wednesday, Brown said that response does not answer the most significant questions raised in the ACLU letter to RIPTA.

“It’s more of a non-response,” he said. “It remains baffling how and why RIPTA had all this information about non-employees in the first place. Importantly, it does not explain why, after getting this inappropriate information, it still had it on the agency’s computer system, rather than deleting it immediately.”

Brown said RIPTA has not explained why the US Department of Health and Human Services website says 5,015 people were affected by this data breach, while the letter that RIPTA sent to people this week says the data breach involves 17,378 people in Rhode Island.

Also, Brown said, “While it attempts to explain why it took a few months to figure out whose information was exposed, it doesn’t explain why it took two months after that point to notify individuals.”

The ACLU has heard from dozens of people who received notifications from RIPTA about the data breach, Brown said. All are current or former state employees who had nothing to do with RIPTA, he said.

They are concerned about the theft not only of their health care information but also that of their children and other dependents, Brown said. While RIPTA has offered one year of free credit monitoring, “that fails to do justice to the significant harm that these individuals experienced,” he said.

Advertisement

“We are examining all possible options for addressing the issue, including potential litigation,” Brown said.

Edward Fitzpatrick can be reached at edward.fitzpatrick@globe.com. Follow him on Twitter @FitzProv.