Home Part of States Newsroom
News
Many questions for Deloitte as state officials roll out response to cyberattack

Share

Many questions for Deloitte as state officials roll out response to cyberattack

By Alexander Castro
Many questions for Deloitte as state officials roll out response to cyberattack
Description
Chief Digital Officer Brian Tardiff leaves the podium, partially obscuring Gov. Dan McKee, at a press conference on Monday, Dec. 16, 2024, outlining the state's response to the RIBridges data breach. (Alexander Castro/Rhode Island Current)

For the third time in four days, Gov. Dan McKee and a slew of state officials took to a conference room at the Rhode Island Department of Administration Monday to inform the public about a cyberattack on the RIBridges system.

But technical details about the breach — which potentially affects up to hundreds of thousands of Rhode Islanders who have applied for or received social services since accounting firm Deloitte created the centralized system in 2016 — were basically nil at Monday’s press conference.

“It’s an ongoing investigation,” was the refrain of Chief Digital Officer Brian Tardiff, the state’s top IT official, who used that phrase at least a half-dozen times at the press conference.    

The system, developed and is maintained by “Big Four” accounting firm Deloitte, serves as the customer-facing infrastructure for state services like food stamps and Medicaid. It’s typically housed at the URL HealthyRhode.RI.gov, although state officials took the website down Friday, two days after Deloitte confirmed it was very likely there had been unauthorized access to sensitive data.

RIBridges attack linked to Brain Cipher ransomware gang

As with press conferences from Friday and Saturday, officials continued to advise RIBridges users to freeze their credit, activate fraud alerts on their bank accounts, change passwords, and set up multi-factor authentication. The leaked information could include Social Security numbers and banking details.

What Tardiff did divulge, however, was a two-pronged attempt to recover from damage inflicted by the attacker. Deloitte confirmed Monday the culprit is Brain Cipher. The international cybercriminal group is a relative neophyte in the ransomware scene but now has several high-profile breaches under its belt, including an attack earlier this year on the Indonesian government. 

“There are two parallel lines of effort right now, which is incident response, to ensure that this is fully remediated, and restoration planning efforts, so that we can restore the system in a timely manner, so that it’s stable and secure,” Tardiff said. He declined to estimate what the restoration timeline looks like or when HealthyRhode.RI.gov will be back online. 

“We are pushing Deloitte to answer those questions,” Tardiff said.

Deloitte again had no representative at the briefing. Asked if the firm would have a presence soon, Tardiff replied: “We’re in constant contact with Deloitte throughout the day, and they are focused on the incident response and restoration activities, so I would anticipate that, as a good partner, they would be present at some point in time.”

Deloitte has relayed to Rhode Island state officials that the hackers intend to release the data unless a ransom is paid, although officials have not made the amount public. In the meantime, Gov. McKee advised potentially affected citizens to take protective measures if they ever applied via the RIBridges site — even if they didn’t qualify for benefits. 

“We do not control if and when the cyber criminals will make this information public or available to other bad actors,” McKee said. “That is why, if you believe you or someone in your household may have interfaced with a program on Rhode Island Bridges, you need to act now.”

The state opened a call center to field questions about the breach and received 1,100 calls on Sunday, its opening day, McKee said. The call center can be reached at 833-918-6603, and a companion website is now live at cyberalert.ri.gov.

McKee also noted that temporary disability insurance and unemployment are not part of the Deloitte-run system and are unaffected by the breach or outage.

Many questions for Deloitte as state officials roll out response to cyberattack
Doors looking out toward Smith Street are seen from inside the Department of Administration building in Providence. (Alexander Castro/Rhode Island Current)

Extended office hours, back to paper 

In ransomware and exfiltration attacks, IT workers will shut down affected networks to remove the intruders. That means that currently, the state systems which depend on RIBridges are not accessible by applicants, beneficiaries and state workers. 

The state’s human services agencies have had to get creative: Benefit and payment processing across the affected state services are still active, said Department of Human Services Director Kimberly Merolla-Brito at the press conference. The agency is using paper processing for benefits and has opened all its field offices, extending hours at its Pawtucket and Providence locations from Tuesday through Thursday, from 4 to 7 p.m. 

“Everyone already enrolled in an affected program should be all set for December,” McKee said. “We were able to get ahead of the benefits and the distribution of the benefits in December, and so that is not putting pressure on the system as we speak.” But McKee added that the state will need “other options” when January rolls around. 

Brito said her department has also scrambled to mitigate confusion, including opening all field offices and moving back office staff to frontline positions. Over at HealthSource RI, the state’s health insurance marketplace, Director Lindsay Lang said things went relatively well on the first business day back after the crisis was announced. Approximately 200 HealthSource RI staff received a briefing on the situation and training Monday morning, delaying the 8 a.m. opening till noon.

“I’m happy to report we did have a smooth start to the day,” Lang said. She clarified that individuals who are already enrolled or automatically re-enrolled in benefits can still pay their January premiums by phone, in person, or at CVS locations — except those inside Target stores — by using the barcode on their health insurance bill.

The health marketplace is open for enrollment through Jan. 31, but Lang noted that, as of Monday, new enrollments are not being processed. People can still call to receive quotes. 

“We can help you understand the application process, and we can answer questions about eligibility, as long as they don’t involve specific account information that is in the Rhode Island Bridges system,” Lang said. 

HealthSource RI for Employers was hosted on the RIBridges platform until 2019, so its current online enrollment is unaffected by the outage, Lang said. But data from the period it was part of the RIBridges system could still be in the breach.

‘Clarion call’

The RIBridges’ much-maligned genesis, which included state lawsuits against Deloitte, goes back to 2016, when it was first known as the Unified Health Infrastructure Project or UHIP. 

The RIBridges system was designed to be “the one-stop shopping, the single portal, for when people apply” to various social services, said Sen. Lou DiPalma, a Middletown Democrat, in a phone interview ahead of Monday’s press event.

He’s concerned that about 500,000 to 600,000 Rhode Islanders may have been affected in the breach, which allegedly contains one terabyte of data. Once the state ensures that people can get their benefits, then it may be time to look carefully at security across state systems, he suggested.

“If this isn’t a clarion call…nothing is,” DiPalma said, describing the breach as an “all-hands-on-deck” moment for state government.

DiPalma was especially curious if the Deloitte-run system complied with encryption rules set forth in the Identity Protection Act of 2015, most recently revised in 2023. The general law specifies a minimum standard of encryption for personal information stored on state computer systems.

“Was the data, in fact, encrypted?” DiPalma asked.

With a decryption key, even encrypted data may be unscrambled and made usable by bad actors. But Tardiff would not say whether the breached data was encrypted.

Asked about the prospect of legislative oversight hearings on the hack on the state vendor, House Speaker K. Joseph Shekarchi said Monday it was too early to make that call.

“I don’t want to comment too much on Deloitte because it’s an ongoing thing,” Shekarchi said. I’ve spoken to the governor. I’ve spoken to the attorney general. Every day, things are changing.”

Looking ahead to the upcoming legislative session, Shekarchi named possible changes to state procurement laws — such as requiring contractors to include their own protections against cyberattacks — as one way to lessen the state’s exposure to data breaches.

Many questions for Deloitte as state officials roll out response to cyberattack
A photo of the front of North Providence resident Patricia Mahoney’s state issued EBT card is an exhibit in the complaint against Deloitte filed Sunday in U.S. District Court for the Southern District of New York. (Exhibit A/Mahoney v. Deloitte Consulting LLP, Docket No. 1:24-cv-09575, S.D.N.Y. Dec 15, 2024)

So far the data breach has led to at least one federal lawsuit. A class action complaint filed Sunday in U.S. District Court for the Southern District of New York names a North Providence resident who receives Supplemental Nutrition Assistance Program (SNAP) benefits as the lead plaintiff. 

The lawsuit accuses Deloitte of negligence, breach of contract and unjust enrichment and claims lead plaintiff Patricia Mahoney and others’ “identities are now at substantial and imminent risk.”

Mahoney’s attorney Peter Wsylyk, a former state representative and House deputy majority leader, did not respond to requests for comment.

Any device connected to a network is potentially vulnerable to bad actors, especially computers connected to an enterprise system outside its usual firewall, like an employee’s laptop used away from the office. Institutions use security software called endpoint protection to protect devices like these. During the Crowdstrike outage of July 2024, Rhode Island Current reported that state employees at HealthSource RI used a software suite curated by the state’s IT office. 

Tardiff said he believed the breach did not come from the state’s end, since the system is “owned and operated by Deloitte.” But it’s still unclear what databases would be available on Deloitte’s systems but not to state employees who work with client data on a regular basis.  

Online comments, meanwhile, offered a resigned, ironic tone to the latest leak of their personal information.

“Can’t wait for my 35th coupon to Equifax and a ‘my bad’ email,” wrote one Redditor. 

Nancy Lavin and Janine L. Weisman contributed reporting to this story.