ACLU of Rhode Island Filing Lawsuit Over RIPTA Data Breach

ACLU of Rhode Island Filing Lawsuit Over RIPTA Data Breach

The ACLU of Rhode Island will be announcing on Tuesday the filing of a lawsuit relating to the August 2021 data breach at the Rhode Island Public Transit Authority that compromised the personal and health care information of thousands of individuals, including many with no connection to RIPTA. 

On Tuesday morning, ACLU of RI cooperating attorneys and the lead plaintiff in the case will share more information on the lawsuit at ACLU’s offices in downtown Providence. 

As GoLocal reported in December 2021, RIPTA came under fire by the ACLU for failing to answer questions about the breach that occurred in the summer of 2021.

GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST

GoLocal wrote: 

RIPTA publicly acknowledged the security breach back in August, but a notice it recently posted indicated that it involved the health care information of RIPTA personnel. In regard to the complaints received, however, the ACLU's letter states:

But worst – and most inexplicable – of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency.

The information compromised in the hack includes names, social security numbers and personal health information.

The letter also demands answers about why the agency has provided inconsistent and misleading information to the public about the hack:

The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it. According to the public notice posted on your website on or about December 21st about this security incident, the breach involved the “personal information of our health plan beneficiaries…” (emphasis added)

Contrary to the statements that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus. The only connection that they all seem to have is that they are, or were, state employees. 

Yet nothing in RIPTA’s notice or letter explains why the personal health care information of non-RIPTA employees was in its computer system in the first place.