Hackers were able to access the personal information of thousands of state employees because a Rhode Island Public Transit Authority employee failed to delete a file from their hard drive, union officials said this week .
Unions representing state employees demanded to know why RIPTA was storing sensitive information belonging to workers unrelated to the transit agency.
That culminated in a phone call this week involving a coalition of unions, according to a summary of the call that was provided to the Providence Journal.
Sometime in August 2020, a RIPTA payroll clerk “uploaded a file, to pay monthly claims,” the call summary reads.
This file was “left on the [employee’s] hard drive, which is not normal, and this hard drive was hacked,” he continued.
RIPTA was not immediately able to respond to inquiries from the Journal on Friday, including whether the payroll clerk had been disciplined.
The cyberattack on RIPTA’s computer systems took place in August 2021, indicating that the file remained on the Registrar’s hard drive for about a year.
What remains unclear is how the employee was able to download this file in the first place: was it sent in an email, or did the employee have to click on a link or take other measures to access the data?
Understanding exactly how the data ended up on RIPTA’s servers will be crucial to avoiding a replay, said Sen. Louis P. DiPalma, D-Middletown.
RIPTA previously told the Journal that the file was inappropriately shared with the agency by a former health insurance provider.
Rhode Island’s Blue Cross Blue Shield, which currently administers the health plan for state employees, said it did not provide the data stolen in the breach.
UnitedHealthcare, which previously administered the health plan, issued the following statement on Thursday: “We had the privilege of administering the health benefit plan for Rhode Island State employees and their families from May 2005 through December 2019. Protecting sensitive member information is a key priority for us. Although this data breach did not affect any UnitedHealthcare systems, we share the officials’ interest in understanding the facts and are available to cooperate with authorities in as part of their investigation.
More than 17,000 people were notified that their data had been accessed by hackers during the August breach. The information compromised included Social Security numbers, dates of birth, addresses, and dates and amounts of health claims.
According to the union appeal summary, the violation affected individuals who were state employees or affiliated with the state between 2013 and 2020 and who were enrolled in the state health plan.
It is not known if the dependents of these employees were also affected, according to the summary of the appeal.
Employees enrolled only in the state’s Delta Dental plan were not affected, union leaders said.
Correction: This story has been updated to reflect that the phone call only involved union leaders, not state officials.
©2022 www.providencejournal.com. Visit providencejournal.com. Distributed by Tribune Content Agency, LLC.