Cyber Incident Victim: Rhode Island Public Transit Authority
Date:
Aug 2021
Location:
United States of America
Summary
A cybersecurity incident at the Rhode Island Public Transit Authority involved unauthorized access and exfiltration of sensitive health plan data, including Social Security numbers, Medicare IDs, and medical claims information. The breach impacted thousands of individuals, with conflicting reports on the total affected—federal records indicated approximately 5,000 victims while agency notifications referenced over 17,000. The compromised files included personal data of non-employees due to a former health insurance provider inadvertently sharing unrelated state employee records. Delays exceeding legal requirements occurred in victim identification and notification, prompting an Attorney General investigation into potential violations of state breach disclosure laws. The discrepancy between public statements and victim communications raised transparency concerns from advocacy groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Rhode Island Public Transit Authority (RIPTA) experienced a data breach between August 3 and August 5, 2021, which was first detected by the agency on August 5. During this security incident, attackers exfiltrated files containing sensitive personal and health information from RIPTA's systems. The compromised data included Social Security numbers, addresses, dates of birth, Medicare identification numbers, health plan member identification numbers, qualification information, and health claims details. RIPTA later determined that the breached files originated from a former health insurance provider that had administered a now-inactive plan, which inadvertently included personal data of individuals beyond current RIPTA employees. This discovery led to significant confusion about the scope of affected parties, as the dataset contained health claims information for multiple state employees unrelated to RIPTA operations.
RIPTA publicly disclosed the breach on December 21, 2021, after identifying affected individuals on October 28 – more than two and a half months after detection. Notification letters were subsequently mailed to 17,378 impacted people, a figure substantially higher than the 5,015 victims listed on the U.S. Department of Health and Human Services breach portal. The delayed response exceeded Rhode Island's 45-day breach notification requirement under the Identity Theft Protection Act of 2015. Public outcry intensified when individuals with no recent connection to RIPTA, including State Representative Edith Ajello, received breach notices. Investigation revealed that UnitedHealthcare, RIPTA's previous insurance provider, had transmitted health claims data for all state employees to the transit authority, forcing RIPTA to manually sort through unrelated records. The breach prompted scrutiny from the Rhode Island Attorney General's office, which opened an investigation into potential regulatory violations, while the ACLU of Rhode Island criticized RIPTA's transparency and handling of the incident.