128 Dorrance Street, Suite 400

Providence, RI 02903
Phone: (401) 831-7171
Fax: (401) 831-7175
www.riaclu.org
info@riaclu.org

NEWS RELEASE
DECEMBER 28, 2021

ON HEELS OF PUBLIC COMPLAINTS, ACLU DEMANDS ANSWERS FROM

RIPTA ABOUT BREACH OF PERSONAL DATA

The ACLU of RI has sent a letter today to the RI Public Transit Authority (RIPTA)
demanding answers regarding an August 2021 data breach at the agency that compromised
the Social Security numbers and private health care information of thousands of individuals
who have no apparent connection to the agency.

Specifically, the letter demands to know why the agency had this information in the first
place, why it took the agency more than two months to notify affected individuals, and why
it provided misleading information to the public about the hack.

RIPTA publicly acknowledged the security breach back in August, but a notice it recently
posted indicated that it involved the health care information of RIPTA personnel. In regard
to the complaints received, however, the ACLU's letter notes:

But worst – and most inexplicable – of all, the people who have contacted us
are even more deeply distressed by the fact that RIPTA somehow had any of
their personal information – much less their personal health care information
– in the first place, as they have no connection at all with your agency.

The information compromised in the hack includes names, social security numbers and
personal health information.

The letter also demands answers about why the agency has provided inconsistent and
misleading information to the public about the hack:

The information that has been provided publicly by RIPTA about this security
breach is, in many ways, significantly and materially different from the
information RIPTA has provided the affected individuals about it. According
to the public notice posted on your website on or about December 21st about
this security incident, the breach involved the “personal information
of our health plan beneficiaries…” (emphasis added)

Contrary to the statements that the breach involved RIPTA’s health care
beneficiaries, all the complaints we have received have come from people who
have never been RIPTA employees and, in some instances, have never even
ridden a RIPTA bus. The only connection that they all seem to have is that
they are, or were, state employees. Yet nothing in RIPTA’s notice or letter
 explains why the personal health care information of non-RIPTA employees
was in its computer system in the first place.

The letter also raises the question of why it took the agency so long to notify the affected
individuals. According to the letter RIPTA sent affected individuals, the breach was
identified on August 5th, but those affected by the breach were not identified until October
28, and not notified until this past week.

The letter concludes with a request that the agency provide answers as to how and why they
had this personal information of non-employees and did nothing to destroy the information
when they received it.

A copy of the letter is available here.

FOR MORE INFORMATION, CONTACT:

Steven Brown: 401-831-7171; sbrown@riaclu.org