PROVIDENCE, R.I. (AP) — The American Civil Liberties Union of Rhode Island is demanding more answers about a data breach at the state's public bus service, including why the personal information of state employees who don't even work for the agency was compromised.
The Rhode Island Public Transit Authority publicly disclosed the data breach Dec. 21, saying that unauthorized access had been gained to some of its computer systems and that private health care information — including Social Security numbers, dates of birth, and Medicare identification numbers — had been compromised.
The ACLU in a letter to the agency dated Tuesday, wants to know why the breach was identified in early August, but it reportedly took until Oct. 28 to identify the people whose private information had been hacked, and almost two more months to notify them.
“It is essential that RIPTA provide answers to the public as to why it had this private information in the first place and why it has provided misleading information about this security breach to the public," the ACLU letter said.
The ACLU's letter was prompted by complaints from state employees who said they did not work for RIPTA, and in some cases, had never used its bus service, the ACLU said.
The ACLU also wants to know why the U.S. Department of Health and Human Services website says 5,015 people were affected by the data breach, but RIPTA puts that number at 17,378.
RIPTA senior executive Courtney Marciano explained to The Providence Journal via email that the information on non-RIPTA employees was sent to the agency by the state's previous health insurance provider.
She also said it took so long to inform people because identifying the people whose personal data was compromised and finding their addresses so that they could be notified was “time and labor-intensive.”
The RIPTA employees' union in a statement said the agency “dropped the ball."