Investigation Launched into RIPTA Data Breach

A recently reported data breach impacting the Rhode Island Public Transit Authority (RIPTA) is to be investigated by the state’s attorney general.

The protected health information (PHI) of thousands of individuals was involved in the data breach, which occurred when RIPTA was attacked by cyber-criminals last summer. 

RIPTA reported the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR) as affecting 5,015 individuals who are members of the transport authority’s group health plan. 

The Providence Journal reports that the number of impacted individuals subsequently rose to 17,378. 

Suspicious activity was identified on RIPTA’s computer network on August 5, 2021, and – according to a breach notice posted to the authority’s website – blocked the same day. 

Digital forensic evidence of the cybercrime revealed that parts of RIPTA’s network had been accessible to an unknown threat actor since August 3, 2021. 

After reviewing what data the threat actor had been able to access, RIPTA determined that files containing the personal information of health plan members were stored in the comprised area of the network and that these files had been exfiltrated in the cyber-attack.

Data stored in the exfiltrated files included health plan members’ names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information.

According to a document sent to state employees by the Department of Administration on Wednesday, some of the PHI exfiltrated in the attack had been “incorrectly shared” with RIPTA by the state’s previous health insurance provider, UnitedHealthcare.

RIPTA senior executive Courtney Marciano said that the PHI of individuals with no connection to RIPTA had been sent to the transport authority in error by UnitedHealthcare. RIPTA has since switched its insurance provider to Horizon BlueCross/Blue Shield of Rhode Island. 

Rhode Island attorney general Peter Neronha stated his intention to investigate the data breach to the Providence Journal. Neronha’s probe will determine whether any state laws have been violated, such as the Identity Theft Protection Act of 2015. 

It is possible that the OCR may investigate UnitedHealthcare over the seemingly impermissible disclosure of state employees’ PHI to RIPTA.