The state hasn’t been immune to major data breaches – the latest example being an R.I. Department of Health mishap that exposed the protected information of nearly 9,000 people last summer and fall.
So what is the government’s top technology agency doing to prevent future security breakdowns across all state departments?
It’s been four months since Bijay Kumar left his job as the state’s chief information officer and chief digital officer, a position in which he also supervised the R.I. Division of Information Technology.
The CIO/CDO “is ultimately responsible for the cybersecurity of state systems and the implementation of protective measures and controls with state departments to protect their sensitive data,” said R.I. Department of Administration spokesperson Laura Hart. “As such, both the agency involved and the Division of Information Technology share responsibility for any data breach response.”
The state is still in the process of finding a long-term replacement for Kumar. Chief Information Security Officer Brian Tardiff is in the position on an interim basis, Hart said.
Meanwhile, RIDOH and the R.I. Public Transit Authority are separately resolving security issues that affected a combined total of close to 30,000 Rhode Island residents.
In December, RIDOH revealed it had accidentally shared the health information of about 8,800 people a few months earlier.
In that instance, RIDOH staff accidentally included a link to a document containing thousands of individuals’ COVID-19 isolation and quarantine information in email messages. The document also included personal details such as phone numbers and addresses.
Hart said the state’s IT division responded and “an assessment of sensitive data storage and sharing protocols was executed, as were additional cybersecurity and data hygiene training with agency staff.”
In August 2021, a cyberattack against RIPTA, which also breached UnitedHealthcare of New England Inc. data shared with the agency, compromised the personal data of more than 20,000 current and former state employees. The American Civil Liberties Union of Rhode Island Inc. has since filed a class-action lawsuit against RIPTA and UnitedHealthcare.
Hart noted that the quasi-public transit agency isn’t directly supported by the state IT division, but it “did share best practices with the RIPTA team and recommended an external cybersecurity assessment.”
The RIPTA lawsuit has highlighted a state mechanism directed at cybersecurity: when a data breach affects at least 500 people, the law requires the R.I. Office of the Attorney General to investigate.
Federal law also encourages state attorneys general to cooperate with the U.S. government when health care privacy laws are involved,
The RIPTA investigation is ongoing. Brian Hodge, spokesperson for Attorney General Peter F. Neronha, said the office “continues to pursue all available authorities to ensure the protection of personal information in the custody of state agencies, as well as accountability for failure to safeguard this information.”
In another incident, mortgage customers of the quasi-public R.I. Housing and Mortgage Finance Corp. were notified their personal information was involved in a data breach last spring.
Third-party vendor NewCourse Communications sent notices to mortgage customers affected by the breach and has offered a free year of credit monitoring services.
Customers’ names, addresses and the last four digits of their Social Security numbers were exposed, however highly sensitive information such as full Social Security numbers and dates of birth were not.
In general, states benefit from a multipronged approach to cybersecurity, said Leah Rosenbloom, a doctoral candidate in cryptography and privacy at Brown University.
Best practices typically look at cybersecurity in stages, Rosenbloom said, starting with preventative measures and ending with accountability and reparations for those affected.
That includes “a larger system of transparency and communication between state departments,” Rosenbloom said, and “making sure there’s some kind of coordinated effort for data security.”