Late last year it was discovered that Rhode Island’s public health system RI Bridges, built by Deloitte, had been accessed by nefarious individuals who then leaked large amounts of personal information to the darkest corners of the internet. The breach affected a number of state programs:
- Medicaid
- Supplemental Nutrition Assistance Program (SNAP)
- Temporary Assistance for Needy Families (TANF)
- Child Care Assistance Program (CCAP)
- Health coverage purchased through HealthSource RI
- Rhode Island Works (RIW)
- Long-Term Services and Supports (LTSS)
- General Public Assistance (GPA) Program
- At HOME Cost Share
On December 16, Rhode Island governor Dan McKee issued this warning to anyone who had used these state programs to secure their identity.
The affected individuals include children. “People need to act fast when it comes to protecting their personal information, and for some, that includes keeping an eye on their child’s credit,” he said in a separate statement.
The breach was the third reported hack for the Deloitte brand in 2024, the first being threat actors accessing a trove of Deloitte intranet communications by accessing an exposed Apache Solr server with default credentials. The second was a ransomware group lifting a compressed terabyte of data from Deloitte UK and then posting that Deloitte sucks at their job.
It appears the group that got Deloitte UK is the same one that penetrated the Deloitte-managed RI Bridges system: Brain Cypher. Adding insult to injury, Brain Cypher sent Deloitte a screenshot of some of the data they got.
As the news of the breach was hitting the news in mid-December, Deloitte released this statement: “Our investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network. No Deloitte systems have been impacted.” Whew, as long as your systems are safe. Who cares about a bunch of kids on food stamps amirite.
At a press conference shortly after news of the breach hit, Rhode Island’s chief digital officer wasn’t so quick to let the firm pass the buck:
Asked during a Smith Hill news conference how the hack happened, and whether Deloitte was responsible, [CDO Brian] Tardiff said, “It’s an ongoing investigation, so we can’t provide any details at this point. We do expect a full root cause analysis that will provide those details.”
Tardiff added that RI Bridges “is maintained and operated by Deloitte, so we believe it [the breach] is not from the state.”
This morning, Governor McKee’s office announced that Deloitte is going to pay for this incident. Literally.
At the request of Governor Dan McKee, Deloitte provided Rhode Island with $5 million to help pay for expenses related to the RIBridges data breach.
Separately, Deloitte is covering the cost of the data breach call center, credit monitoring, and identity protection for impacted customers.
Expenses supported by the $5 million payment include but are not limited to the costs associated with the approximately 2,000 HealthSource RI customers who were enrolled directly in coverage for the months of January and February.
HealthSource RI worked with insurance providers to offer customers who needed active coverage starting the 1st of the year to enroll directly with Neighborhood Health Plan of Rhode Island and Blue Cross Blue Shield of Rhode Island.
“Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support,” said Governor Dan McKee.
The RIBridges system is undergoing a phased relaunch. At this writing, customers can access the HealthyRhode portal, submit applications, and interact with their accounts as needed.
Several class action lawsuits have already been filed, including one by the law firm that sued the toast out of Big Tobacco and won, so it’s looking like Deloitte will be coughing up more than a mere $5 million.
