PROVIDENCE, R.I. (WPRI) – A cyberattack on the R.I. Public Transit Authority in August affected far more people than initially estimated, including an undisclosed number of state workers without any affiliation with the quasi-public agency.
Target 12 confirmed Tuesday that state employees – both current and retired – have begun receiving letters from RIPTA, notifying them that suspected criminals accessed files containing their personal information, which was being held at the state’s public transit agency.
“This information included your name, Social Security number, and one or more of the following: address, date of birth, Medicare identification number and qualification information, health plan member identification number and claims information,” RIPTA wrote in one letter dated Dec. 21 obtained by Target 12.
RIPTA senior executive officer Courtney Marciano said the affected files contained information from the state’s health insurance billing plan, which included the personal details of state workers outside of the agency. She did not know immediately why RIPTA had the files to begin with, saying it was from a provider who administered the plan “that is no longer active.”
Human resources information — such as health insurance material — is typically maintained within the R.I. Department of Administration.
“That’s the million-dollar question,” Marciano said when asked why RIPTA had that information, adding that letters were only sent out to individuals whose personal information was in the files.
“I don’t believe there was anything erroneous or malicious going on,” she said.
No passenger information was compromised, she added.
The revelation has already sparked outrage from the ACLU of Rhode Island, which sent a letter to RIPTA demanding answers about why the agency had that personal information. The advocacy group also criticized the agency for providing “misleading information to the public about the hack.”
“People who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency,” Rhode Island ACLU executive director Steven Brown wrote in the letter to RIPTA CEO Scott Avadisian.
Marciano said she did not know how many people were affected by the attack. But the ACLU said it had received a letter from one person indicating the total exceeded 17,700 people, which the group noted totaled roughly three times more than the 5,000 people RIPTA initially disclosed earlier this year.
Brown also questioned why it took the agency this long to start notifying workers who were notified about the hack.
“The breach was identified on Aug. 5, but it was purportedly not until Oct. 28 — over two-and-a-half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals,” Brown wrote.
In response to the letter, Marciano said the internal investigation that looked into what information was accessed was “time and labor-intensive, but RIPTA wanted to be certain what information was involved and to whom it pertained.”
“We receive the letter from the ACLU and it’s under review,” she added.
In addition to the RIPTA notifications, DOA director Jim Thorsen sent a separate letter to all employees within the state’s executive branch, notifying them about the compromised information. The letters were sent to employees regardless of whether their information was accessed.
“I write to inform you that the Rhode Island Public Transit Authority (RIPTA) was the target of a recent security incident that involved the personal information of beneficiaries of the State of Rhode Island’s health plans,” he wrote, adding the affected files were from billing plans “from about 2013 through 2015.”
RIPTA announced it would be providing complementary membership to identity monitoring services through Equifax. For people who think they were affected by the hack, but do not receive a letter by Jan. 20, Thorsen urged them to contact a call center at 855-604-1669.
Steph Machado contributed to this report.