RI Attorney General Subpoenas UnitedHealthcare and RIPTA in Relation to 22,000-Record Data Breach

The Rhode Island Attorney General is conducting an investigation involving the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare because of a cyberattack and security breach that allowed hackers to access RIPTA’s system that held the sensitive personal data and protected health information (PHI) of around 22,000 persons.

The Office of the Rhode Island Attorney General was informed concerning the security breach that happened on December 23, 2021. RIPTA stated it found and blocked a cyberattack last August 5, 2021. Upon investigation, it was confirmed that hackers acquired access to its system on August 3, 2021. Files kept on the affected section of its system included extensive data on its workforce, such as names, birth dates, Social Security numbers, and health plan identification numbers, together with the sensitive data of thousands of state personnel who were not employed at RIPTA.

RIPTA sent the breach report to the HHS’ Office for Civil Rights indicating that 5,015 people were impacted. However, in RIPTA’s breach notice, it was mentioned that the event led to the compromise of the personal information of 17,378 people. The difference in the figures was because UnitedHealthcare, RIPTA’s former medical insurance provider, furnished RIPTA with files that contain the information of non-RIPTA personnel. Altogether, around 22,000 people had their sensitive information stolen from the attack. The files were kept on RIPTA’s servers and had no encryption. The attackers exfiltrated roughly 40,000 files from RIPTA’s servers.

RIPTA mailed notification letters to impacted persons, which include those that were not associated with RIPTA, causing a ton of complaints received by the Office for the Attorney General asking why their personal information was exposed in a breach at RIPTA when they were not associated with the quasi-public organization. The late sending of notification letters was because of the manual checking of the 40,000 files, which was a labor-intensive and lengthy procedure. RIPTA stated only a few people conducted the document review to avoid further exposure of sensitive information.

On February 7 at a Senate oversight committee hearing, RIPTA managers testified under oath about the security incident. RIPTA Chief Legal Counsel Steven Colantuono stated that they believe no one did any wrong on their part, but the incident is still under investigation.

RIPTA Director Scott Avedisian stated that reports acquired by RIPTA from a UnitedHealthcare website from 2015 to 2020 were ‘filtered files’, and the information not related to RIPTA was meant to stay undetectable. Although not confirmed, the information implies the downloaded files were Excel files with selected hidden rows. UnitedHealthcare sent to RIPTA the protected links to gain access to the files on the website.

During the hearing, officers at the state Department of Information Technology stated there is a statewide policy, which requires the encryption of sensitive information like personally identifiable information (PII), personal health information (PHI), and federal tax data; nonetheless, RIPTA isn’t an agency or quasi-state agency assisted or backed by the Department of Information Technology, therefore RIPTA does not need to follow the state’s encryption guidelines.

UnitedHealthcare’s Vice President of external affairs was supposed to show up at the hearing however declined after originally saying yes to appear. UnitedHealthcare mentioned it is looking into the breach to find out what really happened. At this time, the HHS’ Office for Civil Rights breach portal did not list the breach at UnitedHealthcare yet.

Besides the Rhode Island Attorney General investigation, Colantuono mentioned there will additionally be a federal investigation and talks are presently being held by the Department of Justice and the HHS’ Office for Civil Rights to find out which of them will do the investigation. There’s likewise the probability of taking legal action against UnitedHealthcare and RIPTA by state personnel impacted by the incident.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA