PROVIDENCE, R.I. (WPRI) — The U.S. Office for Civil Rights is investigating four recent data breaches in Rhode Island that affected more than 36,000 people, The Target 12 Investigators has learned.

The OCR, a division of the U.S. Department of Health and Human Services, opens investigations into all “breaches of unsecured protected health information affecting 500 or more individuals,” according to its website.

One of the breaches occurred at the state’s marquee company, CVS after the company experienced a cyber attack in February impacting 6,221 people.

CVS spokesperson Michael DeAngelis told Target 12 the incident “did not involve any social security numbers, any financial or payment information such as credit or debit card numbers, or bank account information.”

He said accounts were reset, customers were notified, and it was reported to OCR because the names of customer medications were revealed. DeAngelis said CVS does not know who hacked them and never received a ransom request.

In June, City of Newport employees discovered “unauthorized activity” on its internal network, determining the hackers used an email to obtain “certain personnel files stored on the City’s file servers.”

A month later, a federal OCR investigation began.

Thomas Shevlin, spokesperson for the City of Newport, said there was no ransom and it’s unclear who breached their servers, which impacted 6,109 people.

He said current and former municipal employees were notified of the breach.

The Narragansett Bay Commission (NBC) first reported a data breach in July, when “an unauthorized actor accessed and/or acquired certain files on its servers.”

NBC spokesperson Jamie Samons said the quasi-public agency paid hackers $250,000 to restore its systems, which was successful.

Samons said in August, NBC determined hackers obtained files that included names, dates of birth and Social Security numbers of employees.

NBC notified the 2,153 people potentially affected, and the OCR opened an investigation in September.

When asked if the responsible party was identified and if NBC received a ransom note, Samons cited the federal investigation, saying “I can’t share a ransom note nor the name of the threat actor.”

OCR spokesperson Rachel Seeger told Target 12 in a statement, “OCR does not comment on open or potential investigations.”

Target 12 has previously reported on a data breach at the R.I. Public Transit Authority (RIPTA) in August 2021, which affected as many as 22,000 people across Southern New England.

Conti, a hacker group with Russian ties, seized the personal information from RIPTA and then sent a ransom note demanding payment. RIPTA ended up paying $170,000 to recover its data.

Target 12 was first to report on the OCR’s probe into RIPTA’s data breach, which began in December 2021.

Joe Cole, vice president of the Amalgamated Transit Union Local 618, which represents RIPTA workers, said about 1,400 retired and current employees were impacted by the breach.

“We have members that have been hacked,” Cole said.

He said union members haven’t heard from RIPTA about how the breach happened, or why RIPTA had their personal information. Members voted no confidence in RIPTA management in January.

“The no confidence is still there for many of our employees,” Cole said. “RIPTA hasn’t come forward with anything.”

RIPTA spokesperson Cristy Raposo Perry said the agency notified employees “in compliance with its legal obligations.”

“We are unable to share specific details due to the sensitive nature of the investigation,” she added.

RIPTA provided a year of free credit monitoring for those impacted, but Cole said for many union members, that will run out at the end of this year.

“Their information is out there,” Cole said. “Whether it’s going to be used tomorrow or next year, it’s there.” 

Tolly Taylor (ttaylor@wpri.com) is a Target 12 investigative reporter for 12 News. Connect with him on Twitter and on Facebook