WANAN YOSSINGKUM/istock via Gett

News

Deloitte provides $5M to cover RIBridges data breach costs

In addition to the $5 million, Deloitte is covering the cost of the RIBridges data breach call center, credit monitoring and identity protection for affected individuals.

Jill McKeon
By
Published: 05 Feb 2025

Deloitte agreed to provide the state of Rhode Island with $5 million to cover expenses related to the RIBridges data breach, at the request of Rhode Island Governor Dan McKee. RIBridges, the system that manages many of the state's social services programs, suffered a cyberattack in December 2024.

The $5 million will go toward costs related to the approximately 2,000 HealthSource RI customers who were enrolled in coverage in January and February. In addition to the $5 million, Deloitte is covering the costs of credit monitoring and identity theft protection services for affected consumers, as well as the data breach call center.

“Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support," McKee stated.

RIBridges cyberattack

Deloitte, the vendor that manages RIBridges, first informed the state that there was a security threat to RIBridges on Dec. 5, 2024, stating that there was a high probability that a cyberthreat actor had obtained files containing sensitive information.

The state took RIBridges offline after learning about the potential breach. At the time, the scope of the incident was not yet known but could have affected any individual who received or applied for state health coverage or health and human services programs, such as Medicaid, coverage purchased through Healthsource RI, and the Child Care Assistance Program.

On Dec. 23, McKee stated that the breach affected approximately 650,000 individuals. The Brain Cipher ransomware group later claimed responsibility for the attack. On Dec. 30, Deloitte informed the state that the cyberthreat actors released some RIBridges files on the dark web.

"This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information," an alert from the Governor's office stated.

On Jan. 10, 2025, McKee announced that the state had begun mailing notification letters to affected individuals. During the week of Jan. 23, the state of Rhode Island began a phased relaunch of the HealthyRhode customer portal associated with RIBridges, following extensive testing by Deloitte.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Healthcare data breaches