The Rhode Island Public Transit Authority (RIPTA) has just informed the Department of Health and Human Services’ Office for Civil Rights regarding a data breach that affected the protected health information (PHI) of 5,015 individuals of its group health plan.
RIPTA revealed in a breach notice published on its website that it discovered and blocked the cyberattack on August 5, 2021. Based on the forensic investigation, the hackers got access to its network starting from August 3, 2021. A detailed analysis of files on the compromised areas of its network discovered files associated with the RIPTA health plan, which contained the names, dates of birth, addresses, Social Security numbers, Medicare ID numbers, qualification data, health plan ID numbers, and claims details of health plan members. The investigation likewise confirmed that those files were exfiltrated from its systems by the attackers.
RIPTA mailed breach notification letters to the impacted people on December 22, 2021, and gave a complimentary Equifax’s identity monitoring services membership. RIPTA additionally stated in its website breach notice that it has executed extra security measures to avoid further data breaches.
After the distribution of notification letters, lots of individuals who had received a notification letter called the office of the Rhode Island attorney general saying they had no direct link to RIPTA. A number of complaints were additionally sent to the Rhode Island American Civil Liberties Union (ACLU).
On December 28, 2021, the Executive Director of the Rhode Island ACLU, Steve Brown, wrote to the CEO of RIPTA, Scott Avedisian, looking for answers regarding the data breach and why the personal data of persons with no link at all with RIPTA were informed about the breach. Brown likewise mentioned in the letter that the information that was presented publicly by RIPTA concerning this security breach is, in numerous ways, considerably and materially different from the data RIPTA has given to the affected people concerning it.
The public advisory on the RIPTA site made two references to a breach of RIPTA health plan information, particularly mentioning the breach involved the personal data of their health plan and files related to RIPTA’s health plan. Brown stated the letters are very misleading and downplay the extensive nature of the breach. Brown mentioned all of the complainants claimed they were not employed by RIPTA and a number of even mentioned they had never even ridden on a RIPTA bus.
Additionally, the breach notice provided to the HHS’ Office for Civil Rights shows that 5,015 health plan members were impacted, when the notification letters mentioned the breach affected 17,378 persons in Rhode Island, which leads to the question of why RIPTA was keeping the information of another 12,363 individuals.
Brown furthermore stated that the notification letters spelled out the breach was identified on August 5, 2021, however, RIPTA spent two and a half months to find out the people that were impacted, and then an extra two months for sending the notification letters.
RIPTA senior executive Courtney Marciano mentioned to the Providence Journal that the attacker had gotten documents that included the records of persons with no relationship with RIPTA since RIPTA’s prior health insurance firm had given files that included the personal and health information of people with no association with RIPTA. RIPTA had earlier used UnitedHealthcare for its group health plan however changed to Horizon BlueCross/Blue Shield of Rhode Island. The documents provided to RIPTA by UnitedHealthcare apparently comprised the information of health claims involving all state workers.
The cause of the delay in giving notifications was discussed as being a result of the labor-intensive process of knowing which persons were affected and confirming contact data, and additionally searching through the records to know which claims were for current or past RIPTA employees.
Rhode Island Attorney General Peter Neronha advised The Providence Journal that he will open an investigation into the data breach to find out if any state regulations were violated, like the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights might additionally choose to investigate UnitedHealthcare regarding the notable impermissible disclosure of the PHI of state personnel to RIPTA. The OCR breach website has no corresponding breach report coming from UnitedHealthcare.