22,000-Record Data Breach Results in RI Attorney General Subpoenas for RIPTA and UnitedHealthcare
An investigation is being conducted by the Rhode Island Attorney General into the UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) following the discovery of a cyberattack and data breach that allowed cybercriminals obtaining access to RIPTA’s databases which were holding sensitive personal and the protected health information (PHI) of approximately 22,000 people.
The Office of the Rhode Island Attorney General was made aware of the cyberattack on December 23, 2021 by RIPTA. The group confirmed that it had become aware of, and addressed, the attack on August 5 2021. A subsequent investigation showed that the cybercriminals obtained access initially on August 3, 2021. The section of the network that was infiltrated was storing some data related to, and including, the PHI of employees. The range of data incorporated identities, birth dates, Social Security numbers, and health plan IDs, along with the protected information of thousands of state workers who had never been employed by RIPTA.
RIPTA submitted a breach report to the HHS’ Office for Civil Rights as having impacted 5,015 people. The breach notice included details of how the incident infiltrated the PHI of 17,378 people. The difference in these figures is a result of UnitedHealthcare, RIPTA’s previous health insurance supplier, providing RIPTA with files that included the data of non-RIPTA workers. Overall, as many as 22,000 people had their private information impacted during the attack. The files were being held on RIPTA’s databases and were not encrypted and the cybercriminals stole around 40,000 files from RIPTA’s databases.
RIPTA issued notification letters to impacted people, including those that had no link to RIPTA, resulting in a surge of complaints to the Office for the Attorney General asking why their personal data had been impacted in the cyberattack at RIPTA even though they had no link to the quasi-public agency. The slowness in sharing notification letters was a result of those 40,000 files having to be manually reviewed, which was a labor-intensive and time-consuming task. RIPTA confirmed that a small number of people were involved in the document review to stop sensitive data from being further impacted.
Earlier this week, RIPTA administrators testified under oath at a Senate oversight committee in relation to the cyberattack. RIPTA Chief Legal Counsel Steven Colantuono stated: “We don’t believe that anyone did anything wrong on our end, but we are still investigating it.”
RIPTA Director Scott Avedisian revealed that reports placed by RIPTA from a UnitedHealthcare portal at some point between 2015 and 2020 were ‘filtered files’, and the data not connected to RIPTA should have remained inaccessible. It would appear that, from the reports released to date, the downloaded files were Excel spreadsheets with certain rows hidden. This has yet to be confirmed though. The secure links to access the files on the portal were sent to RIPTA by UnitedHealthcare.
The State Department of Information Technology confirmed, at the hearing, that a statewide policy requiring the encryption of sensitive data such as personally identifiable information, personal health information, and federal tax information is in place. However, RIPTA is not supported by the Department of Information Technology and, as such, is not obligated to comply with this.
UnitedHealthcare’s VP of external affairs was due to appear at the hearing but cancelled before it took place.