$100 Million awarded Since 1994 6,000 Satisfied Clients

Posted On February 2, 2022 Consumer Privacy & Data Breaches

Rhode Island Public Transit Authority Data Breach Alert

Data Breach AlertConsole & Associates, P.C. Is Actively Investigating the RIPTA Data Breach to Determine the Legal Remedies of Those Impacted by the Recent Cybersecurity Event

In December of last year, the Rhode Island Public Transit Association (“RIPTA”) announced that data pertaining to more than 17,000 individuals was compromised in a major security breach. However, in more recent news, the total number of affected parties is now believed to be around 22,000. Most of those impacted by the breach were state employees or state-affiliated employees who were enrolled in the state’s health plan.

In the wake of the RIPTA data leak, many are asking pointed questions about the Association’s role. While there have been no allegations that RIPTA or any of its employees played an active role in the data breach, some reports indicate that the data was removed from a file that should have been deleted. According to one news outlet covering the story, a representative from RIPTA told union members that hackers were able to access the personal information of thousands of state workers because a RIPTA employee did not delete a file from their hard drive.

Apparently, in August 2020, a payroll clerk downloaded a file to pay monthly claims. However, instead of deleting that file, the employee allowed it to remain on their desktop. When the hacker breached the RIPTA system the following year, in August 2021, they targeted that file, which contained a significant amount of personal and health data pertaining to 22,000 RIPTA and state-agency employees. While the complete scope of the compromised data has not yet been confirmed by RIPTA, it appears that the following is among the information the hacker was able to obtain:

  • First and last names;
  • Social Security numbers;
  • Dates of birth;
  • Physical addresses;
  • Medicare identification numbers;
  • Qualification information;
  • Health plan member numbers; and
  • Health plan claims information.

In December 2021, RIPTA disclosed the breach to the U.S. Department of Health and Human Services’ Office of Civil Rights. However, due to existing data breach laws, RIPTA was only legally required to list the approximately 5,000 current employees who were affected and not the 17,000 other individuals whose information was also leaked as a result of the breach.

In his first public statement since the leak, RIPTA Director, Scott Allen, explained that most of the information compromised was contained in documents from the state’s former health plan administrator, stored on non-encrypted RIPTA servers. However, RIPTA’s current health plan administrator, Blue Cross Blue Shield of Rhode Island, explained that it was not the source of the compromised data. Reporters also reached out to the Association’s prior health-plan administrator, United Healthcare, which responded that the breach did not involve any of the company’s systems. However, United Healthcare did not deny that it supplied the data.

On February 1, 2022, lawmakers convened a meeting to discuss the RIPTA data security incident. In an interesting turn of events, United Healthcare did not send a representative to the meeting.

Can Consumers Affected by the Recent RIPTA Data Breach Seek Legal Action Against the Association?

When you went to work for the Rhode Island Public Transit Association, you voluntarily gave the company access to your personal information.  In doing so, you trusted the Association to keep your information secure. Certainly, anyone in your shoes would assume that their employer would safeguard their information by any means necessary. However, news of the RIPTA data breach raises some questions about the Associations’ data security measures and its commitment to employee privacy.

Public and private employers have an ethical and legal obligation to ensure sensitive employee information in their possession remains private. While developing a system to protect employee data from cyber threats comes at a high cost, this is a necessary expense for businesses operating in an environment where cyberattacks, network intrusions and other data security events are common.

The U.S. consumer privacy laws allow consumers and employees to pursue data breach lawsuits against companies that misuse or mishandle their data. However, because the Rhode Island Public Transit Association data breach is very recent, and details about the incident are still emerging, it is unclear if RIPTA bears legal responsibility for the breach. However, the data breach attorneys at Console & Associates, P.C. are investigating the RIPTA data security incident to determine what legal remedies, if any, employees and other affected parties may have against the Association.

If you have questions about your ability to bring a data breach class action lawsuit against Rhode Island Public Transit Association, you should contact a data breach attorney as soon as possible.

What to Do if You Received a RIPTA Data Breach Letter

Cyberattacks such as the RIPTA data breach are increasingly common and raise significant concerns for consumers as well as employees impacted by these events. In many cases, a cybersecurity incident such as this one occurs when a person hacks into secure servers to view, and possibly steal, employee information. While a hacker’s intentions generally remain unknown, and no one knows why RIPTA was the target of this recent cyberattack, it is not uncommon for cybercriminals to identify companies that have inadequate data security systems or are known to negligently handle sensitive consumer information.

In the wake of a data breach, affected consumers are at an increased risk of identity theft. While being the victim of a hacking event doesn’t always mean a criminal will use your information to steal your identity, identity theft is one of the primary reasons hackers engage in this type of cyberattack. While it is possible that you may not ever notice unauthorized activity on any of your accounts, unfortunately, you won’t know there is an issue until it’s too late. Thus, it is very important you remain vigilant by taking the following steps:

      1. Carefully review the letter sent by Fluid Components International;
      2. Retain a copy of the data breach notification letter;
      3. Enroll in the free credit monitoring service provided by Fluid Components International;
      4. Change all passwords and security questions to online accounts;
      5. Enable two-factor or multi-factor authentication, where it is available;
      6. Frequently review all credit card and bank account statements for any signs of fraud or unauthorized activity;
      7. Monitor credit reports for any unexpected changes or signs of identity theft;
      8. Contact a credit bureau to request a temporary fraud alert; and
      9. Notify all banks and credit card companies of the data breach.

According to the identity Theft Resource Center (“ITRC”), “freezing your credit is the single most effective way to prevent a new credit/financial account from being opened.” However, IRTC also reports that just 3% of consumers whose information is leaked place a freeze on their account.

Below is a copy of the initial data breach letter issued by RIPTA (the actual notice sent to consumers can be found here):

Dear RIPTA Employee,

As you may know, on Thursday, August 5, 2021, the Rhode Island Public Transit Authority (RIPTA) became aware that it was the target or a computer system security incident. RIPTA immediately consulted with security experts to investigate the scope of the security incident.

A careful review and forensic analysis were conducted, and it was discovered that among the compromised files were those pertaining to the State’s prior health plan provider. Information for both RIPTA and State employees, who were covered by the health plan administered by the prior provider, were in the file. State employee data was incorrectly shared with RIPTA by an external third party who had responsibility for administering the State’s employee health benefits program.

The files were illegally obtained from RIPTA’s server by an unauthorized third party. The files reportedly contained plan member names. Social Security numbers, addresses, dates of birth Medicare identification numbers and qualification information, health plan member identification numbers, claim amounts, and dates of service for which claims were filed for State employees, including RIPTA.

As a result of this finding, RIPTA is taking steps to help protect all of the individuals who may be at risk from this security incident. RIPTA has notified all identified, impacted health plan participants of the compromise via mail and is offering complimentary identity theft protection services through Equifax. Should you need help enrolling in the program, please reach out to our IT Department.

Everyone is encouraged to remain vigilant regarding your information, not only because of this security incident, but because of the identity threats we all face every day. If you notice any unusual activity in any or your accounts, please contact your service provider, such as your bank, as soon as possible.

We would like to express our sincerest apologies for any concern or inconvenience resulting from this incident.

RIPTA has established a dedicated call center at 855-604-1668 that is available Monday through Friday (except holidays) from 9 a.m. to 9 p.m. to answer questions.