PROVIDENCE, R.I. (WPRI) — The federal government has opened a probe into the Rhode Island Public Transit Authority’s data breach from last August, Target 12 has learned.

Cristy Raposo Perry, a spokesperson for RIPTA, confirmed the U.S. Office for Civil Rights, a division of the U.S. Department of Health and Human Services, has begun a review of the breach that compromised the personal information of thousands of state workers.

When asked what information RIPTA has to provide and how long the OCR’s review will take, Raposo Perry responded, “We do not have any other information at this time.”

OCR spokesperson Rachel Seeger told Target 12 in a statement: “OCR does not comment on open or potential investigations.”

However, OCR provided a copy of the office’s 2020 “Annual Report to Congress on Breaches of Unsecured Protected Health Information,” which highlighted that the agency received more 600 notifications of breaches affecting 500 or more individuals the prior year. The agency completed 547 of those investigations and resolved eight of them “with resolution agreements/corrective action plans totaling more than $13 million in collections,” according to that report.

It wasn’t immediately clear whether that money went to OCR or to victims.

The state would not explain why a division of the health and human services would get involved in a cyberattack tied to a state transportation agency, but State Sen. Lou DiPalma, D-Middletown, chair of the Senate Oversight Committee, said it’s likely because of HIPAA privacy issues.

“It’s because of the unauthorized access of health information,” said DiPalma, referencing what RIPTA CEO Scott Avedisian told his committee on Jan. 31. “United Healthcare provided to RIPTA access to personal information — potentially health information as well — that was unauthorized for 22,000 people.”

It’s currently unclear how long OCR’s review will take, but DiPalma said whenever it is released, he hopes it includes “recommendations for enhancements” RIPTA needs to make to its IT systems.

As Target 12 previously reported, Conti, a hacker group with Russian ties, seized the personal information from RIPTA and then sent a ransom note demanding payment. The transportation agency hired Coveware Inc., a firm that helps entities recover hacked data, and ended up paying $170,000 to recover its stolen data on Aug. 12.

“I hope and expect that OCR and the attorney general will get to the bottom of it to ensure incidents like this don’t occur in the future,” DiPalma said.