In Rhode Island, a perplexing data breach has prompted an inquiry by the Attorney General

On Thursday, Rhode Island Attorney General Peter Neronha said that he will launch an inquiry into a data breach involving the Rhode Island Public Transit Authority, according to The Providence Journal (RIPTA). This comes as indignation over the agency’s handling of the event intensified this week.

According to the news site, Neronha’s office is receiving a large number of calls regarding the event, forcing them to investigate what happened.

On December 21, RIPTA issued a warning stating that it initially discovered a “security problem” on August 5. Between August 3 and August 5, RIPTA found that data had been stolen from their computers. Social Security numbers, residences, dates of birth, Medicare identification numbers and qualifying information, health plan member identification numbers, and claims information were all included in the data about RIPTA health plans.

According to the US Department of Health and Human Services’ data breach website, 5,015 persons were impacted.

The ACLU of Rhode Island requested RIPTA earlier this week to explain why the data leak contained personal information of persons who had no relationship to the agency.

People who received letters from RIPTA warning them that their personal data, including personal health care information, was obtained in a security breach of RIPTA’s computer systems have complained to the local ACLU chapter’s executive director, Steven Brown.

“According to the letter, the breach was identified on August 5th, but it was purportedly not until October 28th — over two and a half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals,” Brown wrote.

According to the letters, the number of victims indicated on the US Department of Health and Human Services website (5,015) does not match the number of victims stated in the breach alerts given to victims: 17,378 persons.

“Worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency,” Brown added.

The ACLU also claimed that RIPTA was not being forthcoming about the breach, pointing out that the organization’s public remarks regarding the event varied significantly from the letters delivered to victims. According to RIPTA’s original announcement, those affected were exclusively RIPTA health plan members.

“Based on the complaints we have received, this is extremely misleading and seriously downplays the extensive nature of the breach. Most importantly, it ignores, and fails to address, a host of questions regarding how the information that was hacked was in RIPTA’s hands in the first place,” Brown wrote.

Courtney Marciano, RIPTA’s senior executive, told ZDNet that the state’s previous health insurance provider submitted the data, which contained sensitive information on people who did not work for RIPTA.

RIPTA only distributed notice letters to people whose personal information was found in the files (from a provider that ran a plan that is no longer operational) and accessed by the hackers, according to Marciano.

RIPTA originally utilised UnitedHealthcare, but now employs Blue Cross/Blue Shield of Rhode Island, according to the Providence Journal.

“Upon discovering this incident, RIPTA worked diligently to verify all individuals (both internal RIPTA employees, as well as individuals outside of the agency) whose personal information was in the files that were accessed or infiltrated by an unauthorized party. After the analysis was complete, RIPTA searched its records and identified address information for those individuals,” Marciano said.

“This process was time and labor-intensive, but RIPTA wanted to be certain what information was involved and to whom it pertained. No passenger information was compromised.”

The matter sparked even greater indignation when Rep. Edith Ajello told The Providence Journal that her information had been compromised despite the fact that she had not used a RIPTA bus in “almost a decade.”

When Ajello pressed RIPTA for an explanation as to why her information was involved, she was told that UnitedHealthcare forwarded “all state workers’ health claims” to RIPTA. This is said to have prompted the agency to look through the whole batch to determine whether claims were submitted by RIPTA staff.

The Attorney General will now look into whether RIPTA broke the Identity Theft Protection Act of 2015, which requires government entities to notify a breach within 45 days. Victims were not notified for more than two months by RIPTA.