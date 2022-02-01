While Rhode Island has policies aimed at using encryption and access restrictions to protect computerized data, those policies don’t apply to a wide range of quasi-public agencies, such as RIPTA, the Narragansett Bay Commission, and the Rhode Island Airport Corporation, Senator Louis P. DiPalma said.

PROVIDENCE — The Rhode Island Public Transit Authority data breach has revealed a massive hole in the state’s cybersecurity policies, the Senate oversight committee chairman said Tuesday.

And those policies don’t apply to large, significant organizations such as the University of Rhode Island, the General Assembly, the secretary of state’s office, or the attorney general’s office, he said.

Advertisement

“It is a statewide tech enterprise policy, but it’s not statewide,” DiPalma said. “It’s a miss.”

So DiPalma, a Middletown Democrat, said he will propose legislation that would extend existing cybersecurity policies to all branches of Rhode Island government and quasi-public agencies. While some agencies might have their own practices in place, the state needs a blanket policy, he said.

DiPalma reached that conclusion following a 2.5-hour Senate Committee on Rules, Government Ethics, and Oversight hearing on Monday night that delved into a massive data breach at RIPTA. First revealed in December, the breach compromised the personal health information of thousands of people, including many state employees who don’t work for RIPTA.

“It’s not a question of whether unauthorized access is going to happen – it is going to happen,” he said. “We need to ensure that when bad actors get access to the system, they don’t get access to the data.”

At the outset of the hearing, DiPalma said it now appears that the data breach affected about 22,000 people – up from previous estimates.

At first, officials were told that about 5,000 RIPTA employees had personally identifiable information compromised, he said. Then, officials were told a total of 17,000 people, including many non-RIPTA employees, were affected, and it’s clear the beach impacted about 22,000 people, mostly state employees who had UnitedHealthcare insurance, he said.

Advertisement

“Some folks in this room, and I’m sure some folks watching, were impacted by the data breach,” DiPalma said during the hearing. “It’s an extremely important topic – that Rhode Islander’s personally identifiable information and personally identifiable health information is protected to the Nth degree.”

He said officials from UnitedHealthcare, the state’s former health insurance provider, had been invited to testify about the data breach. He said they agreed to attend but then backed out, citing an investigation into the matter by Attorney General Peter F. Neronha’s office.

“I am extremely disappointed that they are not here tonight,” DiPalma said. “Why am I disappointed? It’s about gathering facts, it’s about gathering data, and I think they would be able to provide some set of facts and data and be able to answer some of the questions that will come up.”

He noted the attorney general’s office is also investigating RIPTA, and several RIPTA officials, including CEO Scott Avedisian, took part in Monday night’s hearing.

Avedisian sent the committee a timeline showing that RIPTA staff first learned that an “unauthorized third party” had accessed the computer system on Aug. 5. On that day, RIPTA’s phone system, file systems, and email systems went out of service, the document states.

Senator Jessica de la Cruz, a North Smithfield Republican, asked if RIPTA’s bus services were interrupted as a result of the breach.

Advertisement

“Actually, we lost no service during the data breach,” Avedisian replied. “We didn’t have phone service and we didn’t have computer service, but we hand-scheduled every trip and did not have any reduction in service during the time that our system was down.”

According to the timeline, RIPTA notified the FBI on Aug. 11. The email system was restored on Aug. 19, and the phone system was restored on Aug. 20.

RIPTA staff began “a careful review” of the compromised files to determine their contents. Every file was touched manually and reviewed, and all the files were converted to a searchable format, according to the timeline. By Oct. 28, RIPTA had identified files that might contain personal information, and in November the agency began gathering the addresses of those with compromised personal information.

On Nov. 8, files from “a prior health provider,” meaning UnitedHealthcare, were identified. RIPTA finalized the contact information for everyone affected by the breach on Nov. 29. And on Dec. 21, RIPTA notified the attorney general’s office and the Office of Civil Rights at the US Department of Health and Human Services.

That timeline prompted Senator Frank Lombardo III, a Johnston Democrat, to ask: “Would you please explain why it took more than two-and-a-half months for RIPTA to identify people whose names and information were hacked, and then why it took more than two months to notify them?”

Gary Jarvis, RIPTA’s chief technology officer, said it initially looked like 80,000 files had been compromised but, with duplicates removed, officials determined the breach involved 40,000 separate files in various formats. Officials needed to cross-reference the files to eliminate duplicates and determine if they contained personally identifiable information.

Advertisement

“Because of the small amount of people working on it, it was just very labor intensive to get that done,” Jarvis said.

Lombardo said that led to his next question: “Why was there such a small amount of people working on such a huge issue for Rhode Islanders?”

Jarvis said RIPTA assigned a small team of finance, human resource, and information technology officials to review the data because it contained personal information that shouldn’t be widely viewed. “The more people looking at data they shouldn’t be looking at just is not, I think, appropriate,” he said.

Edward Fitzpatrick can be reached at edward.fitzpatrick@globe.com. Follow him on Twitter @FitzProv.