Rhode Island's attorney general hit UnitedHealthcare with a series of subpoenas asking for information about a security breach that compromised the information of 22,000 state employees and their families.
Attorney General Peter Neronha said the Rhode Island Public Transit Authority notified his office in late December that an "unauthorized third party" accessed their system in August, potentially exposing the personal information of their workers, other state government personnel and their dependents. His office is investigating whether the state agency or former administrator of the state's employee health benefit plan, UnitedHealthcare, failed to live up to industry standards when safeguarding individuals' personal information.
The subpoenas, issued on January 27, ask for information on the structure of UnitedHealthcare's security networks and patient information systems, the breach itself, how the insurer responded to the security violations and any internal and external communication related to the offense, including to outside state and federal law enforcement and consumers themselves.
"We're a long way from understanding the full scope of the incident, how it happened, why it happened, what information was accessed and then what accountability, if any, will arise from all that," Neronha said.
State law requires breaches that affect more than 500 residents to notify the attorney general and major credit reporting agencies, he said. RIPTA notified the FBI about the attack in August, but did not send notices to the individuals affected, attorney general or credit reporting agencies until December 21. The subpoena states that RIPTA or UnitedHealthcare may have failed to appropriately notify consumers that their personal information had been compromised.
UnitedHealthcare must respond to the attorney general's requests for information by February 27, Neronha said. He expected the investigation to span a number of months, and said he has been communicating with the insurers lawyers.
"We're a long way from understanding the scope of responsibility, but there are avenues of recovery," Neronha said.
Protecting member privacy is a priority at UnitedHealthcare and the insurer is working with multiple parties to understand the data breach, a spokesperson wrote in an email.
"We were privileged to serve the state of Rhode Island employees and their families until December 2019 and will continue to cooperate with the Office of the Attorney General as they investigate this matter," the spokesperson said.