IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Testimony Shines New Light on Extent of RIPTA’s Data Breach

The sensitive information of 22,000 individuals was exposed in August 2021, when hackers accessed health-care plan files being stored on unencrypted servers owned by the Rhode Island Public Transit Authority, officials say.

data breach
An August 2021 breach at Rhode Island Public Transit Authority (RIPTA) may have compromised sensitive personal details on up to 22,000 state employees, RIPTA officials told a state Senate oversight committee earlier this week, per the Associated Press. This marks a jump up from earlier estimates, which put the victim count at 17,000.

Five thousand of the victims are RIPTA employees, while a portion of the remaining 17,000 victims are employees of other state government agencies, they said, per the AP.

Hackers accessed health plan-related files, RIPTA said in a December 2021 notice posted on its website. Files included details like health plan members’ names, Social Security numbers, Medicare identification numbers and qualification details, dates of birth, health plan member identification numbers, medical claims information and addresses.

RIPTA Director Scott Avedisian said during this week’s hearing that the breached data mostly contained documents from UnitedHealthcare, the state’s health plan administrator from 2015-2020, per WJAR. These documents were being stored on unencrypted RIPTA servers.

The agency had accessed the documents to confirm coverage and reconcile billing for its employees, Avedisian said. The files didn’t only contain information on covered RIPTA employees.

"In addition to containing information about our health plan participants, the reports also included information about individuals under the state-organized plan who were never insured under RIPTA's health plan," Avedisian reportedly testified, per WJAR.

RIPTA Chief Technology Officer Gary Jarvis told the oversight committee that the hackers had gained access to administrator accounts and used their access privileges to steal about 44,000 files, according to WJAR.

UnitedHealthcare’s Vice President of External Affairs Mark Gallagher had originally been scheduled to speak during the meeting but did not appear.

The attack occurred between Aug. 3 – Aug. 5, 2021, but the agency took until December 2021 to inform impacted individuals, RIPTA says on its website.

Jarvis told hearing attendees the agency sought to limit the number of staff members viewing the compromised files, partially as a privacy and security measure, and that this then contributed to the four-month delay.

"The more people that are looking at it, the more people that now have it," Jarvis said, according to WJAR. "So, we were trying to keep it to the folks that knew what the data was, what it was meant for and where it was going."

RIPTA says on its website that it extended free Equifax identity monitoring to impacted individuals in December. The damages of the breach are already being detected: Patrick Crowley, Rhode Island AFL-CIO secretary-treasurer, said during the hearing that union members have reported fraudulent use of their personal details.

The state attorney general and RIPTA are both continuing to investigate the breach.