RIPTA Under Fire for Failing to Answer Questions About Data Breach

Name: Go Local Prov
Price range: $

Wednesday, December 29, 2021

GoLocalProv News Team

RI Public Transit Authority (RIPTA) is under fire for failing to disclose a major data breach of both employees and non-employees.

The ACLU of RI announced Tuesday that it has sent a letter to the agency demanding answers regarding an August 2021 data breach that compromised the Social Security numbers and private health care information of thousands of individuals -- some portion of the records who have no apparent connection to the agency.

Specifically, the letter demands to know why the agency had this information in the first place, why it took the agency more than two months to notify affected individuals, and why it provided misleading information to the public about the hack.

GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST

RIPTA publicly acknowledged the security breach back in August, but a notice it recently posted indicated that it involved the health care information of RIPTA personnel. In regard to the complaints received, however, the ACLU's letter states:

But worst – and most inexplicable – of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency.

The information compromised in the hack includes names, social security numbers and personal health information.

The letter also demands answers about why the agency has provided inconsistent and misleading information to the public about the hack:

The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it. According to the public notice posted on your website on or about December 21st about this security incident, the breach involved the “personal information of our health plan beneficiaries…” (emphasis added)

Contrary to the statements that the breach involved RIPTA’s health care beneficiaries, all the complaints we have received have come from people who have never been RIPTA employees and, in some instances, have never even ridden a RIPTA bus. The only connection that they all seem to have is that they are, or were, state employees. Yet nothing in RIPTA’s notice or letter explains why the personal health care information of non-RIPTA employees was in its computer system in the first place.

The letter also raises the question of why it took the agency so long to notify the affected individuals. According to the letter RIPTA sent affected individuals, the breach was identified on August 5th, but those affected by the breach were not identified until October 28, and not notified until this past week.

The letter concludes with a request that the agency provides answers as to how and why they had this personal information of non-employees and did nothing to destroy the information when they received it.

5 Big News Stories Overnight - Monday, February 9, 2026

Details Emerge About RI Man Charged as Part of Lucchese Crime Family Gambling Ring

What You Can Buy in South County

VIDEO: The Real Housewives of Rhode Island Sneak Peek and Launch Date

RIPTA Under Fire for Failing to Answer Questions About Data Breach

Enjoy this post? Share it with others.