UnitedHealthcare and the Rhode Island Public Transit Authority received subpoenas from state Attorney General Peter Neronha Jan. 27 regarding a data breach that compromised the data of 22,000 people, according to The Boston Globe.
The August 2021 security breach resulted in about 17,000 peoples' information being compromised, the transit authority initially said, but the impact has since grown, according to WPRI. Information included data from the state's health insurance plan billing for both agency members and other state employees.
At the time, UnitedHealthcare was the state's healthcare plan administrator. According to the Globe, UnitedHealthcare "incorrectly shared" plan and state employee data with the Rhode Island Public Transit Authority, playing a key role in the breach.
However, the August breach was not reported to the attorney general's office until Dec. 21, 2021.
According to WPRI, the subpoenas will help determine if the organizations violated the state’s Identity Theft Protection Act. Under the act, data breaches affecting more than 500 residents must be reported to the attorney general within 45 days of the breach.
UnitedHealthcare told WPRI that it is "working directly with the attorney general’s office on their investigation and cannot provide further public comment until they complete their review."
According to the subpoena, both UnitedHealthcare and the state's transit authority have 30 days to provide information on the events leading up to the breach and information safeguards in place.
The transit authority testified at a Rhode Island state senate hearing Jan. 31 on the data breach to detail its involvement. UnitedHealthcare did not attend, a move state Sen. Louis DiPalma said he was "extremely disappointed" about.