PROVIDENCE, RI (WPRI) – A data breach at the RI Public Transport Authority (RIPTA) is bigger than the agency previously disclosed.

During a Senate Oversight Committee hearing on Monday night, RIPTA officials revealed that up to 22,000 people — 5,015 RIPTA employees and some 17,000 other Rhode Island residents — were affected by the breach in last August.

Previously, the quasi-state agency estimated around 17,000 people in total were affected by the breach. Officials said the hackers accessed files containing information from the state’s health insurance billing plan, which included the personal details of state employees outside the agency.

RIPTA’s chief legal counsel, Steven Colantuono, noted during Monday’s hearing that some of the names and addresses involved were duplicates, but did not specify how many.

During Monday’s hearing, RIPTA CEO Scott Avedisian provided a timeline of the August breach and subsequent actions, which showed a handful of RIPTA employees carried out a manual review of affected files.

“This process was very time-consuming and labor-intensive, including reviewing over 40,000 records,” Avedisian said Monday, noting that the number of people viewing the files was deliberately kept small, so as not to not further compromise the information.

The director said RIPTA notified the office of RI Attorney General Peter Neronha nearly four months later, on December 21, when the agency began sending letters to those affected by the breach.

“The purpose of notifying this office is that if we believe a follow-up investigation should take place, both into the content of the notice starting with the most basic, meaning was the notice sufficient ? Was it timely, did it include all the information it was supposed to have? Neronha told 12 News on Tuesday.

Target 12 has learned that Neronha’s office, which is actively investigating the security breach, recently issued civil subpoenas to RIPTA and UnitedHealthcare, the former administrator of the state health plan.

The documents say that under the state’s Identity Theft Protection Act, the office determined it would be in the “public interest to investigate the matter further.”

The 2015 law requires entities to notify the Attorney General of a data breach affecting more than 500 Rhode Islanders “no more than 45 calendar days after the breach.”

When asked if the entities violated this law, Neronha said his office is looking into this.

“Frankly, this is an issue that caught our attention in the first place,” Neronha told 12 News.

The subpoenas note that “one or more entities may have deviated from industry standard information safeguards with respect to this breach and in violation of their Notices of Privacy Practices or other representation of privacy practices. privacy to consumers”.

The other issue, Neronha said, is understanding how and why the breach happened in the first place.

His office is looking for information related to RIPTA and UnitedHeathcare’s cybersecurity, how organizations responded to the hack, and how they subsequently communicated with each other, regulators and law enforcement.

Neronha said his office was looking at “how widespread is the problem, what remedies you need to take to make sure it doesn’t happen again, or maybe steps we can take to protect people who have been victims of this violation, the subject of this violation and move forward.

“And we’re still in the early stages here, obviously,” he added.

Senate Oversight Chairman Lou DiPalma said he wants lessons learned from the RIPTA breach in August to be used across state government, saying it’s not a matter to know if but when another violation would occur.

“Some people in this room, and I’m sure some people watching, were affected by the data breach and it’s something that can go on for decades,” DiPalma said.

“It is important, this is an extremely important topic, that the personal information of Rhode Islanders, both personally identifiable information, PII, and personally identifiable health information be protected to the nth degree,” the senator added. .

In a statement to 12 News on Tuesday, RIPTA’s acting public information officer, Cristy Raposo Perry, said the agency “takes seriously the security and privacy of the information in our custody.”

“We continue to take steps to strengthen our information security processes, including further improving our security protocols, document handling practices and cybersecurity training for our employees. RIPTA will continue to work with third-party vendors to ensure that sensitive information is not inappropriately shared with RIPTA in the future,” the statement continued.

UnitedHealthcare did not testify Monday night, after initially agreeing to appear at the virtual hearing.

A spokesperson for UnitedHealthcare said the company was “working directly with the attorney general’s office on their investigation and could not provide further public comment until they complete their review.”

A statement adds that the company is “working with multiple parties to understand the data breach.”

Eli Sherman contributed to this report.