People board a bus at a stop on April 8, 2021, in Providence, R.I. The public transit authority is under investigation after its recent breach notice, as the ACLU says some breach victims don't understand why RIPTA had its healthcare data in the first place. (Photo by Spencer Platt/Getty Images)

The Rhode Island Public Transit Authority is currently being investigated by the state attorney general, following its breach notice to 5,015 health plan beneficiaries informing them their personal and protected health information was stolen during a systems hack in August.

According to the American Civil Liberties Union, the breach victims are questioning why the RIPTA had their information in the first place. The ACLU letter outlines a number of privacy and security complaints filed by the breach victims, which has since prompted a state investigation.

The ACLU is likely involved as the Health Insurance Portability and Accountability Act does not allow private rights of action, explained Kevin Wood, member of Winstead's Healthcare Industry Group. The argument is being made that’s broader than HIPAA and focused on related privacy and conduct of standards the transit authority should have followed.

From a HIPAA standpoint, it does not appear there was a reason RIPTA should have had the information in their possession that was disclosed in the incident, Wood added.

Issued in late December, the RIPTA notice reveals that a security incident was discovered on Aug. 5. An attacker gained access to multiple computer systems beginning two days before it was discovered, which enabled the exfiltration of data from the RIPTA system.

The stolen files were purportedly tied to the RIPTA health plan and included names, Social Security numbers, contact details, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers and claims data.

The impacted individuals were notified on Dec. 21, far outside of the 60-day requirement outlined in HIPAA.

However, the potential HIPAA compliance issue is minor in comparison to the concerns detailed in the ACLU complaint, centering around why RIPTA had this type of sensitive information in the first place and issues with the “misleading information about this security breach to the public.”

The ACLU received multiple complaints from the individuals notified about the RIPTA hack who were disturbed by the potential impact to their medical privacy and the length of time it took to be notified.

“But worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency,” according to the letter.

Why would a transit authority have health information?

The RIPTA breach notice explains the stolen data was tied to health plan beneficiaries. But the ACLU’s letter says many of the complaints they’ve received are from individuals who’ve never been employed by the transit authority, or who’ve never taken RIPTA transport.

The breach victims are rightfully concerned about the notice failing to answer how the stolen data “was in RIPTA’s hands in the first place.”

The ACLU has deduced one connection: the impacted individuals are or were state employees. Further, it appears that more than three times as many individuals were impacted by the incident than initially disclosed.

For Wood, the issue is clear: RIPTA should have had mechanisms in place to inform the privacy or compliance officer when the entity is inappropriately given information from another body. And when the inappropriate disclosure occurs, there should have been policies and procedures in place to actually delete those documents and confirm the data has actually been deleted.

It’s especially critical when the entity has communicated to the impacted parties affected by an improper disclosures that the data has been effectively deleted and confirmed.

RIPTA is not alone in this failure, as Wood noted that record maintenance is one of the biggest gaps seen across all sectors, and not just with health information. Especially in an electronic setting, many organizations struggle to implement and follow through with necessary protocols and procedures “that call for routine deletion after a period of time deletion or destruction.”

Wood’s practice centers around compliance measures, not only in data privacy, but in overall fraud and abuse. One of the largest focuses is to stress the importance of having appropriate compliance programs, policies and procedures.

But in the same breath, after an organization adopts those policies, it’s imperative to “routinely monitor and act in accordance with those compliance programs.”

“Because one of the worst things you can do is implement one plan, then put it on the shelf and never look at it again,” said Wood. “It doesn't protect you just to have it: you have to actually put it into practice.”

For example, a tax law requirement is to maintain tax records for seven years. Unless there’s legal action regarding the preservation of these records, a good course of action is to “delete your information and destroy the prior records.” In that way, “you don't have the chance of something like this happening.”

In regards to the RIPTA case, “all data privacy and security compliance programs should have mechanisms that deal with routine destruction of information within the timelines of data maintenance,” said Wood. In this case, “they should also have routine policies and procedures that come into play when they find out they have information they shouldn't have.”

Those measures would ensure the data is returned to the individual so they can regain control of it, and when they’re notified of the error, they can destroy it, in line with previously established mechanisms to do so.

For RIPTA, it’s not a mitigating factor but an aggravating factor of their compliance posture, if an investigation takes place.

State investigation and potential for future OCR audit

The attorney general has been asked to look into the delayed notification, why RIPTA had this personal information in their possession, whether it was inadvertently provided to RIPTA and why it was not returned or destroyed if it was sent to RIPTA in error, and the reason behind the discrepancies with the number of individuals notified.

From a HIPAA perspective and if investigated by HHS, the first step would be to determine if the data was actually transit authority health plan data, and thus, RIPTA should have protected it, Wood explained. The investigation could then expand to determine if some of the impacted data was tied to the health plan data, or if it was unrelated data.

Given the ACLU letter, it appears some of the stolen data was unrelated to the health plan. If confirmed, “the disclosure to the transit authority was also arguably a violation of somebody's duty under HIPAA, because it was obvious it was data that should not have been disclosed to” RIPTA.

The data transmitted to RIPTA “was not for a valid purpose,” Wood continued. As such, the investigation would then “go up the chain of the transmission chain to see who sent it to them, why they sent it to them, when it was sent, and if the breach notification rules were in effect at that time, why they didn't take action or realize that they inappropriately sent the information.”

“Now the difficult part is the OCR enforcement has been spotty,” he continued. “For example, you have providers who really did do something wrong, and either get a slap on the wrist, or they don't find anything.”

HHS could potentially investigate the data theft regarding any information that was indeed tied to the health plan, as RIPTA was obligated by HIPAA to know what health information was in their possession, the security measures in place to protect it, when the incident was discovered, and how the security gap that caused the hack was closed in response to the breach.

Under HIPAA, RIPTA would also need to disclose the remediation measures they’ve since implemented to prevent a recurrence. Wood added that an HHS investigation finding HIPAA compliance issues could result in a fine, depending on whether an entity cooperated with an OCR audit.

Regardless of whether RIPTA should have held the data in their possession, it’s always better to cooperate with OCR than to “try to stall or bluff your way through” it, he added.

The pandemic has stretched healthcare’s resources into other directions focused on the response and a patient’s right to access their data, but it does not mean that OCR isn’t auditing those reporting healthcare data breaches to the agency.

But for now, the investigation is being led by the state, which could spotlight whether the data in question was tied to HIPAA. And if so, from an Office for Civil Rights perspective, whether it’s “adequately enforcing, investigating and enforcing this issue.”

"We need to be better. Especially if a company says it does something with your information, it should do it,” said Wood. “There's much more to this data privacy world than just the federal scheme.”

“Most federal privacy laws will have that [compliance] branch, and just like HIPAA does, more restrictive and more protective state law will overrule and override HIPAA. So you got to keep in mind what that state's rules may be,” he continued. “The issue too is that they have to worry about not only data privacy, but consumer and resident protections overarches” the attorney general issues.