The incident, which happened in August, revealed the information of around 22,000 people.

The Rhode Island Attorney General's office last week filed a civil investigation lawsuit against New England's UnitedHealthCare after a security breach at the Rhode Island Public Transportation Authority exposed the information of 22,000 people.

"On or about December 23, 2021, the OAG became aware of a material information security breach involving information held by government employees participating in the government healthcare plan," the office said in a statement provided to Healthcare IT News in early January was made available.

"Subsequent information has led OAG to the conclusion that one or more companies related to this breach may have departed from industry privacy practices and violated their privacy practices notices or other representations of consumer privacy practices," the statement continued.

"Protecting the privacy of members is a top priority and we are working with multiple parties to understand the data breach that affected the public transit authority's computer system," UnitedHealthCare officials said in a statement.

"We have had the privilege of serving Rhode Island State employees and their families through December 2019 and will continue to cooperate with the Office of the Attorney General in the investigation of this matter," the statement continued.


The incident in question happened in August, when RIPTA says it discovered that files related to its healthcare plan had been stolen from its network by an unknown entity.

Upon review, RIPTA said the files contained plan member names, social security numbers, addresses, dates of birth, Medicare ID numbers and qualifying information, health plan member ID numbers, and health plan information.

At a legislative hearing Tuesday night, agency officials said about 22,000 people were affected, of whom about 5,000 were RIPTA employees.

But some of the additional 17,000 people, officials said, were workers for other state agencies.

In late December, the American Civil Liberties Union of Rhode Island raised concerns on behalf of some of these employees, noting that they had no connection with RIPTA.

"Nothing in RIPTA's notice or letter explains why the personal health information of non-RIPTA employees was even on its computer system," the Rhode Island ACLU said in a letter to RIPTA.

This week, a RIPTA spokesman for a local NBC affiliate said that the state's "former health insurance provider sent RIPTA the files containing [the] information."

The BA also addressed this point.

In its investigation request to UnitedHealthCare and Healthcare IT News, the OAG requested information and documents related to the incident, such as: e.g.:

If United believes that RIPTA's access to information about non-RIPTA participants in the State Healthcare Plan constitutes a violation
United Injury Response Plan
Any location on United's network or system where an individual's sensitive personal information has been retained in a form accessible to RIPTA for the appropriate period of time
The nature of RIPTA's access to sensitive personal data of non-RIPTA partners, any known vulnerabilities that existed at the time, and vulnerabilities discovered during the investigation.
How these vulnerabilities allowed, contributed to, or otherwise enabled access
UnitedHealthCare of New England has 30 days to respond.


State and federal agencies have occasionally exhausted their enforcement powers over data breaches, sometimes levying fines on healthcare facilities in addition to private legal claims.

For example, Letitia James, the Attorney General for New York State, announced last month that EyeMed, a provider of vision aids, agreed to pay the state $600,000 following a cyber incident that affected an estimated 2.1 million US citizens was


"We encourage Rhode Island residents who have received a RIPTA notice to follow the steps outlined in that notice and sign up for free credit monitoring, fraud advice and identity recovery services," the OA said.