(TNS) – The Rhode Island Public Transit Authority data breach that compromised the personal information of thousands of officials raises many questions about state protocols for handling sensitive data, according to Senator Louis P. DiPalma, D-Middletown.
Among them: Who within RIPTA received files containing personal information on state officials unrelated to the agency? Why has this data not been deleted?
And do we know where other similar data might be stored on state servers?
“We are talking about 17,000 people who are affected and could be affected for life,” said DiPalma. “How do we make sure this doesn’t happen again?” “
RIPTA revealed in late December that hackers had obtained files containing information, including social security numbers, dates of birth, addresses, as well as dates and dollar amounts of health claims. The breach took place in early August and involved data belonging to past and present employees who were on the state health plan, as well as their beneficiaries.
This data was “wrongly shared” with RIPTA by the former state health insurance provider, according to a lengthy FAQ document that was sent to state employees by the Administration Department on Wednesday morning. .
The state’s current health insurer is Blue Cross / Blue Shield of Rhode Island. A spokesperson for UnitedHealthcare, which administered the state’s health insurance plan until 2020, said on Tuesday that the company had made no comment.
Meanwhile, the office of Health Insurance Commissioner Patrick Tigue “is performing a due diligence review to understand the role the former third-party state administrator would have played for state employee health benefits. in producing the data that was provided to RIPTA and later stolen, ”Tigue’s chief of staff Cory King wrote in an email.
DiPalma said it would be important to know exactly how the data was shared with RIPTA: was it in an email to the transit agency, or did someone at RIPTA have to click on a link to access it?
“None are good,” he said – but it’s the context that is needed because avoiding a repetition requires knowing more about how RIPTA acquired the data in the first place. Likewise, it is important to know how long the data has been on RIPTA’s servers and whether it has all been shared with RIPTA on one occasion or in separate incidents that span several years.
Initially, the DOA told state officials that the compromised files appeared to contain information from 2013 to 2015. The agency has since corrected this statement, saying “the period covered by the data files extends to at a point currently undetermined in early 2020 “.
IT managers should do a “scan” to find out where other information such as Social Security numbers are stored, who has access to them and why they are there, DiPalma previously told the Journal.
The state’s information technology department did not respond to an investigation on Tuesday. DOA FAQ states that RIPTA “is now taking all necessary steps to remove all files containing information on state employees” and that the state “is working closely with all parties involved” to avoid a duplication. .
“Someone at some point should have raised their hand and said, ‘Should I have this?'” Said DiPalma. He’s looking to see if there was a protocol in place that should have been followed – which could indicate there needs to be more training so that state employees know what to do if they end up owning it. inadvertently sensitive data in the future.
“There are still a lot of other questions that we need to answer in order for us to have a full understanding of the situation, and I will seek those answers,” said DiPalma.
RIPTA did not respond to questions about who received the data that was mis-shared with the agency, and why it was not deleted.
“As the situation continues to be reviewed, it is important to note that RIPTA has complied and fulfilled all of its legal obligations and continues to cooperate fully with the Attorney General’s investigation,” said Senior Executive Courtney Marciano in an email. “While the event is certainly unfortunate, we are handling the situation with the utmost seriousness it requires, while carefully reviewing the security measures in place and finding all means to improve them in the future.”
The exact number of people whose data was stolen during the RIPTA breach has been a continuing source of confusion.
Letters to victims say the incident “involves 17,378 people in Rhode Island.” But the Rhode Island attorney general’s office was told the files contained personal information of “more than 12,700 Rhode Island residents,” spokeswoman Kristy dosReis said last week.
A third figure can be found on the US Department of Health and Human Services online data portal, which indicates that only 5,015 people were affected by the breach.
Marciano said on Wednesday that the gap reflected that “the total number of people whose personal health information has been affected by the incident in accordance with HIPAA” was 5,015.
Rhode Island law requires people to be made aware of any breach that “poses a significant risk of identity theft,” so this is not limited to cases where health data has been compromised and HIPAA guidelines exist. ‘would apply. RIPTA sent notifications to a total of 17,378 people under this law, Marciano said.
According to the DOA, employees who received a letter indicating that their personal data had been compromised are “encouraged to actively monitor the possibility of fraud and identity theft by regularly reviewing your credit reports and account statements for any activity. unauthorized ”, and sign up for the free credit monitoring provided by RIPTA.
Receiving a letter doesn’t necessarily mean you’ve been the victim of identity fraud, according to the guidance notes.
RIPTA did not say who would foot the bill for the full year of Equifax credit monitoring offered to people whose information has been compromised.
© 2022 www.providencejournal.com. Distributed by Tribune Content Agency, LLC.