The Rhode Island Senate’s government oversight committee will question top Rhode Island Public Transit Authority and health insurance executives on Monday about how thousands of state employees’ personal data was stolen during a cyber attack.
The Senate Committee on Rules, Government Ethics, and Oversight, chaired by Sen. Louis DiPalma, has requested that the following people appear at the hearing:
• Scott Avedisian, executive director of RIPTA;
• Mark Gallagher, vice president of external affairs for UnitedHealthcare;
• Michele Lederberg, executive vice president, chief legal officer and chief administrative officer for Blue Cross Blue Shield of Rhode Island;
• Bijay Kumar, Rhode Island chief information officer and chief digital officer;
• Patrick Crowley, secretary-treasurer of the Rhode Island AFL-CIO.
RIPTA has said the stolen data was sent to them by a previous insurance provider, but has not provided additional details.
Looking for answers:State senator DiPalma wants answers on how RIPTA breach happened — so there isn’t a repeat
RIPTA hacked:Here’s why over 17,000 state employees discovered their data was stolen
The probe:Attorney general will probe whether RIPTA’s handling of data breach complied with the law
Blue Cross Blue Shield of Rhode Island currently manages the health plan for state employees, and has said that it did not provide the data. UnitedHealthcare managed the plan prior to 2020.
The committee is seeking the following information ahead of the meeting:
• An updated timeline that details when RIPTA was notified about the breach, verified who was affected, told the Rhode Island Attorney General, and notified those affected.
• Total counts of those affected.
• RIPTA’s data-retention policy, cyber-hygiene training policy and other records of employee cybersecurity training.
• Rhode Island’s statewide data-protection policy and cyber-hygiene training policy.
• The statewide policy for the retention of personnel data, and the state’s policy for contractors “with respect to the sharing of personnel data.”
Among the questions that will be addressed at the hearing:
• Why was personal and health-related data needed by RIPTA?
• How did RIPTA acquire the data? Was it sent in a secure email? Were individuals provided with a link to access the data?
• How many times, or at what frequency, was the data received or accessed?
• What kind of personal identification information or personal health information was included in the file?
• Is data stored on RIPTA computers encrypted?
• What is the “need to know” policy and process used at RIPTA to determine which employees have access to sensitive data?
• What is the policy and process for retention of personnel data at state agencies, including quasi-state agencies?
• What is the policy for the annual scrubbing of such data?
• What process was employed to determine what/who was affected by the data breach, and what was the notification process?
The hearingis scheduled for 5:30 p.m. Monday and is to be streamed online through Capitol TV.