PROVIDENCE – The state’s top legal officer is ordering the Rhode Island Public Transit Authority and UnitedHealthcare to turn over documents showing what they knew, and when, regarding a data breach that compromised the information of 22,000 people.
The civil investigative demand letters – the equivalent of a subpoena for a civil investigation – are the latest in ongoing investigations into the breach that exposed some 5,000 RIPTA employees’ private medical and personal information, along with other state employees.
The R.I. Office of the Attorney General on Jan. 27 issued letters to RIPTA and its prior health insurance provider, UnitedHealthcare, asking the two organizations to turn over documents related to the breach as part of its investigation, including details on whether the companies followed the correct steps once they learned that information had been exposed.
“Subsequent information has led the OAG to conclude that one or more entities may have departed from industry standard information safeguards in relation to this breach and in contravention of their notices of privacy practices or other representation of privacy practices to consumers,” according to the letters sent from Etie-Lee Z. Schaub,
managing attorney for the Consumer and Economic Justice Unit at the attorney general’s office, which were shared with PBN on Thursday.
RIPTA did not publicly disclose that its private employee records had been accessed until December, months after the August incident occurred, prompting criticism from groups such as the American Civil Liberties Union, as well as state lawmakers. Testimony during an R.I. Senate Oversight Committee meeting on Jan. 31 also revealed that far more people’s information was put at risk than originally reported: 22,000, including 5,000 RIPTA employees, compared with the 17,000 estimated in December, the Associated Press reported.
The letters from the attorney general’s office give each agency 30 days to respond to numerous document requests, including details of what information was accessed, how the organizations documented the breach and the communication between the two agencies, as well as with affected employees and law enforcement, once they learned that private information had been accessed.
Under the state Identity Theft Protection Act, state agencies are required to notify the attorney general’s office, credit agencies and other relevant groups within 45 days of confirming a “significant data breach” that affects at least 500 residents.
RIPTA CEO Scott Avedisian in an emailed statement on Thursday said the agency plans to “fully cooperate with Attorney General [Peter F.] Neronha’s investigation.
“We welcome his review of the situation and the opportunity to discuss it,” Avedisian said. “We understand that this has been a difficult time for those affected by this incident and we sincerely apologize for the inconvenience that this has caused.”
UnitedHealthcare in an emailed statement Thursday also said it would cooperate with the investigation.
“Protecting member privacy is a top priority, and we are working with multiple parties to understand the data breach that impacted the Public Transit Authority’s computer system,” said spokesman Tony Marusic. “We were privileged to serve the State of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter.”
(UPDATE: Adds last two paragraphs with comment from UnitedHealthcare.)
Nancy Lavin is a staff writer for the PBN. Contact her at Lavin@PBN.com.
