Breach, Incident Response

UnitedHealthcare tied to RIPTA data theft incident as breach tally rises to 22K

People wait at a bus stop on April 8, 2021, in Providence, R.I. An ongoing investigation into the public transit authority reveals new details, including that its former health plan administrator has been added to the review. (Photo by Spencer Platt/Getty Images)

New information has come to light in the ongoing investigation into the Rhode Island Public Transportation Authority (RIPTA), after it was revealed that the data of 5,015 health plan beneficiaries was stolen during an August hack. The breach notice soon caught the attention of the state’s attorney general and American Civil Liberties Union over privacy and security concerns.

A state hearing into the incident last week showed United Healthcare has been named as part of the state’s investigation, as it was the former health plan administrator for Rhode Island. Local news outlets revealed the health plan leadership did not show for the hearing, the absence explained by the ongoing state investigations.

However, the meeting did reveal some key details, including that the initial estimated breach tally was incomplete: the exfiltration actually impacted 22,000 individuals, according to local news outlet WPRI. The discrepancy is due to the relationship the individual had with RIPTA.

The 5,000 individuals initially notified were employed by RIPTA; the remaining 17,000 were state citizens who received healthcare from the state but were not employed by RIPTA. The tally was determined by a manual review of over 40,000 impacted files following the discovery of the hack.

The investigation and hearing stem from a recent notice detailing the theft of personal and health data from RIPTA over the summer. A hacker gained access to multiple computer systems two days before it was discovered using the access to steal troves of sensitive information.

The trouble is that some of the informed individuals had no direct connection to the public transport authority, among other privacy and security concerns.

As noted by the ACLU letter: “But worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency.”

The hearing also shed light into how RIPTA came to have the health data in the first place. 

RIPTA tasked a number of employees with healthcare billing and health plan enrollment for transit employees, accessing a UnitedHealthcare portal through a secure link sent via email. The access enabled reconciliation for healthcare bills. Any downloaded files were automatically saved to a server and backed up every night, an official told WPRI.

While state policy requires many departments to encrypt data, the rule does not apply to RIPTA. At the hearing, an official stressed the incident likely would not have occurred if data had been encrypted. The oversight committee also noted RIPTA should have done a better job communicating these issues to the public.

Further, the hearing revealed that the Department of Justice and Department of Health and Human Services are currently working to decide which agency will investigate the incident. For now, the state is continuing to investigate and address underlying privacy concerns.

Two weeks later, Kentucky hospital still recovering from cyberattack

The phone lines and other network systems remain down at Taylor Regional Hospital in Kentucky, two weeks after falling victim to a cyberattack. The incident is currently under active investigation.

As previously reported, the cyberattack struck on Jan. 24, prompting electronic health record downtime procedures and network disruptions. All systems have been taken offline during the recovery and investigation processes, with officials setting up temporary phone lines to maintain patient care operations.

Patients are still being asked to bring in current medications to their appointments, and lab service orders must be physically brought in for those services as clinicians still can’t access the online lab system. Officials explained that “chemo and STAT orders will be accepted if needed. All patients will be required to bring a written order.”

Clinicians are also unable to schedule COVID-19 testing appointments outside of the walk-in clinic, which is accepting patients on a first-come, first-serve basis. Officials continue to inform patients to expect longer than normal wait times, amid the ongoing outages.

iRise Florida reports undetected email hack from February 2021

iRise Florida Spine and Joint Institute recently notified 61,595 patients that their data was compromised after an email hack in February 2021, which went undetected for a number of months. The hack occurred between Feb. 24 and Feb. 26, and was secured upon discovery.

The notice does not detail when the incident was first discovered, just that an investigation and “time-consuming manual document review” concluded in November 2021 that protected health information was contained in a hacked email account. 

The forensic analysis showed the account contained personal information and PHI of a subset of patients. The data could include names, dates of birth, diagnoses, clinical treatments, provider and or hospital names, dates of service, and health insurance details. For some, SSNs, driver’ license numbers, financial account information, credit cards, and user names and passwords were compromised.

iRise has since bolstered its technical safeguards, including the implementation of technical email safeguards and multi-factor authentication. Employees have also been provided addition training on the risk of malicious emails.

County of Kings server misconfiguration spurs months-long breach

County of Kings in California is notifying 16,590 individuals that their data was exposed for a number of months due to a third-party misconfiguration error of its public web server.

First discovered Nov. 24, the error allowed limited COVID-19 case information provided to the county’s public health department by the California Department of Public Health and county healthcare providers, to be available online without the need for authorization.

The county quickly worked to correct the misconfiguration when it discovered the exposure. An investigation into the incident determined the compromise was caused by a third-party contractor error, which began as far back as Feb. 15, 2021. The issue was fully corrected 10-months later on Dec. 6.

The investigation could not rule out potential access to the affected data, which could include individuals’ names, dates of birth, contact information, and information tied to COVID-19.

Pace Center for Girls’ infrastructure hack

Pace Center for Girls recently began notifying 18,300 individuals tied to its Florida location that their data was accessed during a systems intrusion in January 2021. The incident was discovered in December 2021. Pace is a nonprofit academic and social services provider focused on high-school aged girls.

On Dec. 13, Pace found certain confidential and/or sensitive information was accessed on its systems and launched an investigation, determining that portions of its infrastructure systems were hacked earlier in the year. Pace is continuing to investigate the scope of the intrusion.

So far, the investigation has determined student information was improperly accessed, including full names, contact information, dates of birth, Florida Department of Juvenile Justice identification, enrollment data, behavioral health information, and parent or guardian names.

Pace is in the process of improving its security with assistance of a third-party cybersecurity firm, including bolstering its network security and physical computer access, while assessing its data protection and gateway security systems.

Impacted individuals are being urged to “take immediate steps to protect the students from any potential harm resulting from the data incident, such as actively monitoring accounts, Explanation of Benefits (EOBs), and credit bureau reports.” A fraud alert is also recommended.

South City Hospital reports theft of server containing patient data

A burglary at some facilities of Missouri’s South City Hospital between Nov. 13 and Nov. 14 resulted in the theft of a back-up imaging server, which contained the sensitive protected health information of 21,601 patients. The notice does not disclose whether the data stored on the stolen server was encrypted.

An investigation into the incident confirmed the stolen server contained patient names, SSNs, health insurance details, radiology imaging, and/or related medical data. The hospital has since implemented additional measures, while reviewing existing security policies to prevent a recurrence.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.