Rhode Island AG opens investigation into UnitedHealthCare after data breach

The State of Rhode Island Office of the Attorney General issued a civil investigative demand to UnitedHealthCare of New England this past week after a security breach at the Rhode Island Public Transit Authority exposed the data of 22,000 individuals.  

“On or about December 23, 2021, OAG was made aware of a significant information security breach involving the information of state employee participants in the state health plan,” said the office in a statement in early January provided to Healthcare IT News.

“Subsequent information has led OAG to conclude that one or more entities may have departed from industry standard information safeguards in relation to this breach and in contravention of their notices of privacy practices or other representation of privacy practices to consumers,” the statement continued.  

“Protecting member privacy is a top priority and we are working with multiple parties to understand the data breach that impacted the Public Transit Authority’s computer system,” said UnitedHealthCare representatives in a statement.   

“We were privileged to serve the State of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter,” the statement continued.  

WHY IT MATTERS  

The incident in question took place in August, when RIPTA says it determined that files pertaining to its health plan had been exfiltrated from its network by an undisclosed entity.  

After a review, RIPTA said that the files contained plan member names, Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers and claims information.  

At a legislative hearing Tuesday night, agency officials said about 22,000 people were affected – roughly 5,000 of whom were RIPTA employees.  

But some of the additional 17,000 individuals, said officials, were workers at other state agencies.  

In late December, the American Civil Liberties Union of Rhode Island raised concerns on behalf of some of those employees, noting that they had no connection at all with RIPTA.  

“Nothing in RIPTA’s notice or letter explains why the personal healthcare information of non-RIPTA employees was in its computer system in the first place,” said ACLU Rhode Island in a letter to RIPTA.  

That week, a RIPTA spokesperson told a local NBC affiliate that the state’s “previous health insurance provider sent the files to RIPTA that included [the] information.”  

The OAG dug down on this point as well.   

In its investigative demand sent to UnitedHealthCare and provided to Healthcare IT News, the OAG requested information and documents concerning the incident, such as:  

  • Whether United views RIPTA’s access of information related to non-RIPTA affiliated participants in the state health plan as a breach
  • United’s breach response plan
  • Each place in United’s network or system in which any person’s sensitive personal data was maintained in a form accessible by RIPTA during the relevant time period
  • The nature of any access by RIPTA of the sensitive personal data of non-RIPTA affiliates, any known vulnerabilities that existed at the time and vulnerabilities that were discovered upon investigation
  • How any such vulnerabilities allowed, contributed to or otherwise permitted the access to take place  

UnitedHealthCare of New England has 30 days to respond.  

THE LARGER TREND  

State and federal agencies have occasionally flexed their compliance power when it comes to data breaches, sometimes heaping on fines in addition to any private legal complaints brought against healthcare entities.  

For instance, New York State Attorney General Letitia James announced this past month that vision-coverage benefits provider EyeMed had agreed to pay the state $600,000 after a cyber incident affecting about 2.1 million U.S. residents.  

ON THE RECORD  

“We advise Rhode Islanders who have received notification from RIPTA to follow the steps outlined in that notification and sign up for free credit monitoring, fraud consultation and identity restoration services,” said the Rhode Island OAG in a statement.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article