PROVIDENCE, R.I. (WPRI) — The Rhode Island attorney general’s office is examining a major data breach at the R.I. Public Transit Authority last summer that compromised personal information for thousands of state workers who have no ties to the agency.
As Target 12 reported Tuesday, RIPTA has been sending letters to state employees – both current and retired – notifying them that suspected criminals accessed files related to the state’s health insurance billing plan which contained their personal information.
It remains unclear why RIPTA’s computer system had access to information about individuals who have never worked at the transit agency.
Some of those affected, as well as leaders at the Rhode Island chapter of the ACLU, have expressed frustration that RIPTA waited more than four months after the Aug. 5 attack to begin notifying people that their information was seized. RIPTA says it took until Oct. 28 to determine whose information was compromised.
Blake Collins, a spokesperson for Attorney General Peter Neronha, said their office received a letter from RIPTA on Dec. 23, two days after the notification letters went out.
The letter gave “notice of a cybersecurity incident that resulted in the unauthorized access to files containing the personal information of over 12,700 Rhode Island residents last August,” Collins told Target 12. “It appears that affected persons include not just individuals who are affiliated with RIPTA, but state employees who were beneficiaries of Rhode Island health plans.”
The AG’s Consumer Protection Unit has been dealing with “high call volume” in recent days as individuals reached out about the hack after they received the letter from RIPTA, according to Collins.
According to the Identity Theft Protection Act of 2015, entities are required to notify the attorney general in the event of a data breach affecting more than 500 Rhode Islanders. The law mandates that notifications “shall be made in the most expedient time possible but no later than forty-five (45) calendar days after the breach.”
“This office is now reviewing this incident to determine whether the entities involved have complied with state laws regarding notification and safeguarding of personal information in their custody,” Collins said.
Neronha’s office is urging anyone who has received one of the notification letters from RIPTA to sign up for the services offered by the agency, including “free credit monitoring, fraud consultation, and identity restoration services.” The attorney general’s consumer division can be reached at 401-274-4400.
Ted Nesi (email@example.com) is a Target 12 investigative reporter and 12 News politics/business editor. He co-hosts Newsmakers and writes Nesi’s Notes on Saturdays. Connect with him on Twitter, Facebook, LinkedIn and Instagram