The Rhode Island Public Transit Authority (RIPTA) lately informed the Department of Health and Human Services’ Office for Civil Rights concerning a data breach that impacted the protected health information (PHI) of 5,015 customers of its group health plan.
RIPTA mentioned in a breach notice posted on its web page that it identified and blocked the attack on August 5, 2021. According to the forensic investigation, the attackers acquired access to its system starting August 3, 2021. A thorough audit of files on the breached sections of its network found files linked to the RIPTA health plan, which included the names, birth dates, addresses, Medicare Id Numbers, Social Security Numbers, qualification details, health plan ID numbers, and claims data of health plan members. The investigation at the same time affirmed that those files were copied from its systems by the hackers.
RIPTA delivered notification letters to the affected people on December 22, 2021, and provided a free Equifax identity monitoring services membership. RIPTA furthermore stated in its website breach notification that it has enforced further security steps to avert more data breaches.
Soon after the sending of notification letters, many people who had gotten a notification letter contacted the office of the Rhode Island attorney general stating they had no direct relationship to RIPTA. Numerous complaints were likewise submitted to the Rhode Island American Civil Liberties Union (ACLU).
On December 28, 2021, the Executive Director of the Rhode Island ACLU, Steve Brown, sent a letter to the CEO of RIPTA, Scott Avedisian, searching for answers with regards to the data breach and why the personal data of persons with no connection in any way with RIPTA were alerted about the incident. Brown additionally mentioned in the letter that the information that was given publicly by RIPTA regarding this security breach is, in lots of ways, substantially and materially distinct from the data RIPTA has sent to the impacted people regarding it.
The public notification on the RIPTA web page had two mentions of a breach of RIPTA health plan files, in particular saying the breach affected the personal records of their health plan and files relating to RIPTA’s health plan. Brown stated the letters are quite misleading and downplay the comprehensive character of the breach. Brown stated every one of the complainants mentioned they were not RIPTA employees and a few even mentioned they had never even gone on a RIPTA bus.
In addition, the breach notice sent to the HHS’ Office for Civil Rights reveals that 5,015 health plan members were affected, when the notification letters reported the breach impacted 17,378 persons in Rhode Island, which triggers the question of why RIPTA was holding the records of another 12,363 people.
Brown additionally stated that the notification letters said the breach was discovered on August 5, 2021, nevertheless RIPTA used up two and a half months to determine the people that were affected, and then an extra two months for issuing the notification letters.
RIPTA senior executive Courtney Marciano mentioned to the Providence Journal that the hackers acquired data that contained the information of persons with no relationship with RIPTA considering that RIPTA’s past health insurance company had given files that included the personal and health records of people without association with RIPTA. RIPTA had in the past used UnitedHealthcare as its group health plan but later turned to Horizon BlueCross/Blue Shield of Rhode Island. The records provided to RIPTA by UnitedHealthcare purportedly comprised information of health claims connected with all state workers.
The reason behind the delay in providing notifications was reported as being caused by the time-consuming process of identifying which persons were impacted and validating contact details, and likewise working through the information to know which claims were for present or previous RIPTA personnel.
Rhode Island Attorney General Peter Neronha advised The Providence Journal that he is going to start an investigation of the data breach to find out whether any state rules were breached, for instance, the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights could furthermore opt to look into UnitedHealthcare concerning the obvious impermissible disclosure of the PHI of state personnel to RIPTA. The OCR breach site has no matching breach report by UnitedHealthcare.