On December 21, 2021, the Rhode Island Public Transport Authority (RIPTA), a quasi-public agency, reported a data breach to the Department of Health and Human Services involving the protected health information (PHI) of 5,015 individuals. The breach was detected by RIPTA on August 5, 2021, which took immediate action to secure its network, with the subsequent investigation confirming hackers had access to parts of its network that contained the PHI of employees and their dependents who were covered by its health plan. Those individuals were notified about the breach on December 22, 2021, and the Office of the Rhode Island Attorney General was informed about the breach on December 23, 2021,
The state attorney general and the Rhode Island American Civil Liberties Union (ACLU) received multiple complaints about the incident from individuals who had received a data breach notice. The notification letters explained that a data breach had occurred involving the personal and health data of more than 17,000 individuals. Many individuals who received the letters had never worked for RIPTA and were not covered by its health plan and demanded answers about how and why RIPTA had their personal data.
ACLU Executive Director, Steve Brown, wrote to RIPTA CEO Scott Avedisian on December 28, 2021, seeking clarification about the breach, as the information announced publicly by RIPTA appeared to differ significantly from the content of the breach notification letters sent to affected individuals. Steve Brown got the impression RIPTA was downplaying the significance of the breach.
RIPTA confirmed that while the breach had affected 5,015 individuals covered by its health plan, more than 17,000 other individuals had also been affected, as RIPTA’s previous health insurer, UnitedHealthcare, had provided files to RIPTA that contained the protected health information of other state employees and their dependents.
The Rhode Island Attorney General launched an investigation into the breach and has now issued administrative subpoenas to both RIPTA and UnitedHealthcare, and officials at RIPTA and UnitedHealthcare agreed to attend a Senate oversight committee hearing to answer questions about the breach.
At the hearing, which took place on Monday, RIPTA Chief Legal Counsel Steven Colantuono said that at this stage of the investigation he believed RIPTA had done nothing wrong. UnitedHealthcare’s VP of external affairs was also due to attend the hearing but backed out after initially confirming as the incident was still under investigation.
At the hearing, Scott Avedisian explained that UnitedHealthcare had sent RIPTA links to a UnitedHealthcare portal where reports related to the health plan could be downloaded. The downloaded reports contained information about RIPTA health plan members, but also ‘hidden data’ related to other state employees. The hidden data fields contained the protected health information of 17,378 individuals, so the breach affected a total of more than 22,000 individuals.
The Rhode Island Department of Information Technology explained at the hearing that there is a statewide policy that requires sensitive data, such as the information compromised in the cyberattack, to be encrypted. In the event of a data breach, that information would not be accessible to hackers. However, the policy only applies to state agencies and quasi-state agencies that are assisted by the RI Department of Information Technology. RIPTA is not one of the quasi-state agencies covered by the policy and was therefore not required to adhere to the encryption policy.
In addition to the investigation by the Rhode Island Attorney General, which could potentially result in financial penalties for RIPTA and UnitedHealthcare, there will also be a federal investigation. Colantuono explained at the hearing that a federal investigation will be conducted by either the Department of Justice or the HHS’ Office for Civil Rights, both of which are currently deciding which is the best agency to investigate the data breach.