PROVIDENCE — Attorney General Peter F. Neronha’s office has issued administrative subpoenas to the Rhode Island Public Transit Authority and UnitedHealthcare over a data breach that compromised the personal information of 22,000 people.
The subpoenas, or civil investigative demand letters, say the attorney general’s office was notified on Dec. 23 of a “significant information security breach,” which had first been detected on Aug. 5.
And “subsequent information” led the office to conclude “that one or more entities may have departed from industry standard information safeguards in relation to this breach,” and “in contravention of their notices of privacy practices,” the letters say.
“One of the most important issues when there is a data breach like the one at RIPTA is for our office to understand how and why the breach happened in the first place,” Neronha said Wednesday.
The administrative subpoenas seek information about what happened, what systems were in place to prevent it from happening, how the organization responded, and how they communicated the issue to law enforcement and victimized members of the public, he explained.
“We are still in the early stages of this particular investigation,” Neronha said, “but I am confident we will get the information we need to move forward.”
The data breach compromised personal information for about 5,000 people associated with RIPTA, plus thousands of other state employees. The state Department of Administration has said RIPTA participates in the state’s health insurance plan and state employee data was “incorrectly shared” with RIPTA by a prior health insurance provider, UnitedHealthcare.
Rhode Island’s Identity Theft Protection Act requires state agencies and others to meet notification requirements when a data breach “poses a significant risk of identity theft to any resident of Rhode Island.”
“The notification shall be made in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements,” the law states.
And if a breach affects more than 500 Rhode Island residents, that agency must notify the attorney general and the major credit reporting agencies.
During a Senate oversight hearing on Monday, RIPTA officials detailed a timeline that shows the quasi-public agency first learned that an “unauthorized third party” had accessed the computer system on Aug. 5.
RIPTA notified the FBI on Aug. 11, but it did not send notices to the 22,000 people affected or to the attorney general and credit reporting agencies until Dec. 21, according to the timeline.
During the hearing, Senator Frank Lombardo III, a Johnston Democrat, asked why it took RIPTA more than two-and-a-half months to identify those who had their personal information hacked, and why it took more another two months to notify them.
RIPTA officials said that the process of identifying those 22,000 people affected by the breach was extremely labor intensive. Initially, staff members were reviewing 80,000 files in various formats and removing duplicates, they said. RIPTA had a small team of finance, human resource, and information technology officials reviewing the data because the files contained personal information, they said.
The oversight committee chairman, Senator Louis P. DiPalma, a Middletown Democrat, said he was “extremely disappointed” that UnitedHealthcare officials did not take in Monday’s hearing. And Senator Jessica de la Cruz, a North Smithfield Republican, said, “I am hoping to subpoena them.”
The attorney general’s office issued its administrative subpoenas on Jan. 27. In the subpoena sent to UnitedHealthcare, the attorney general asks the health insurer to, among other things:
- “Describe the facts and circumstances leading to Unitedhealthcare’s discovery of RIPTA’s access of data of non-RIPTA affiliates.
- “Provide a detailed timeline of Unitedhealthcare’s actions related to RIPTA’s access of data of non-RIPTA affiliates, commencing at the time of discovery, and identifying RIPTA’s remedial, responsive, and prophylactic steps through the present day.
- “Produce a copy of Unitedhealthcare’s insurance claim submission(s) to its insurer in pursuit of coverage arising out of RIPTA’s access of data.
- “Identify additional safeguards that have been or are slated to be adopted in an effort to prevent future breaches of the security of sensitive personal data.
- “Produce each notice or communication between Unitedhealthcare and a law enforcement organization or regulatory authority of any state or of the United States.”
The administrative subpoenas give UnitedHealthcare and RIPTA 30 days to provide the information to Etie-Lee Z. Schaub, managing attorney of the consumer and economic justice unit.
On Wednesday, RIPTA CEO Scott Avedisian said the agency plans to fully cooperate with the attorney general’s investigation.
“We welcome his review of the situation and the opportunity to discuss it,” he said. “We understand that this has been a difficult time for those affected by this incident, and we sincerely apologize for the inconvenience that this has caused.”
UnitedHealthcare spokesman Tony Marusic said, “Protecting member privacy is a top priority, and we are working with multiple parties to understand the data breach that impacted the Public Transit Authority’s computer system. We were privileged to serve the State of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter.”
As for UnitedHealthcare’s decision to not attend Monday’s hearing, Marusic said, “We are working directly with the attorney general’s office on their investigation and cannot provide further public comment until they complete their review.”