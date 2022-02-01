PROVIDENCE, R.I. (WPRI) — A data breach at the R.I. Public Transport Authority (RIPTA) is bigger than the agency previously disclosed.

At a Senate Oversight Committee hearing on Monday night, RIPTA officials revealed as many as 22,000 people — 5,015 RIPTA employees and some 17,000 other Rhode Island residents — were impacted by the breach last August.

Previously, the quasi-public agency estimated about 17,000 total were affected by the breach. Officials have said the hackers accessed files that contained information from the state’s health insurance billing plan, which included the personal details of state workers outside of the agency.

RIPTA Chief Legal Counsel Steven Colantuono noted during Monday’s hearing that some of the impacted names and addresses were duplicative, but did not elaborate on how many.

During Monday’s hearing, RIPTA CEO Scott Avedisian provided a timeline of the August breach and actions taken thereafter, which showed just a handful of RIPTA employees conducted a manual review of the impacted files.

“That process was time and labor intensive, including looking at more than 40,000 records,” Avedisian said Monday, noting the number of people looking through the files was kept purposely low, so as not to compromise the information further.

The director said RIPTA notified R.I. Attorney General Peter Neronha’s office nearly four months later, on Dec. 21, when the agency began mailing letters to individuals impacted by the breach.

“The whole purpose of notifying this office is so that if we think a follow-up investigation needs to happen, both about the content of the notice starting at its most basic, meaning was the notice sufficient? Was it timely, did it include all the information it was supposed to have?” Neronha told 12 News on Tuesday.

Target 12 has learned Neronha’s office, which is actively investigating the security breach, recently issued civil subpoenas to both RIPTA and UnitedHealthcare, the state’s former health plan administrator.

The documents say under the state’s Identity Theft Protection Act, that the office determined it would be in “the public interest to further investigate the issue.”

The 2015 law requires entities to notify the attorney general in the event of a data breach affecting more than 500 Rhode Islanders “no more than 45 calendar days after the breach.”

When asked if the entities violated that law, Neronha said his office is looking at that.

“Frankly, it’s an issue that in the first instance got our attention,” Neronha told 12 News.

The subpoenas note “one or more entities may have departed from industry standard information safeguards in relation to this breach and in contravention of their notices of privacy practices or other representation of privacy practices to consumers.”

The other issue, Neronha said, is understanding how and why the breach happened in the first place.

His office is seeking information tied to RIPTA and UnitedHeathcare’s cybersecurity, how the organizations responded to the hack and how they communicated afterward with each other, regulators and law enforcement.

Neronha said his office is looking at “what the scope of the problem is, what remedies you need to take to make sure it doesn’t happen again, or perhaps steps we can take to protect people that were victimized by this breach, the subject of this breach, and move forward.”

“And we’re still in the early stages here, obviously,” he added.

Senate Oversight Chairman Lou DiPalma said he wants lessons learned from RIPTA’s August breach to be used across state government, arguing it’s not a matter of if but when another breach happens.

“Some folks in this room, and I’m sure some folks watching, were impacted by the data breach and it’s something that can go on for decades,” DiPalma said.

“It’s important, it’s an extremely important topic, that Rhode Islanders personal information, both personal identifiable information, PII, and personal identifiable health information is protected to the nth degree,” the senator added.

In a statement to 12 News on Tuesday, RIPTA’s acting public information officer, Cristy Raposo Perry, said the agency “takes seriously the security and privacy of the information in our care.”

“We are continuing to take steps to strengthen our information security processes, including by further enhancing our security protocols, document handling practices and cybersecurity training for our employees. RIPTA will continue to work with third party vendors to help ensure that sensitive information is not inappropriately shared with RIPTA in the future,” the statement continued.

UnitedHealthcare did not testify Monday night, after initially agreeing to appear at the virtual hearing.

A spokesperson for UnitedHealthcare said the company is “working directly with the attorney general’s office on their investigation and cannot provide further public comment until they complete their review.”

A statement added the company is “working with multiple parties to understand the data breach.”

Eli Sherman contributed to this report.