Rhode Island warns of cybercriminals leaking stolen state files as Deloitte works to restore system

The government of Rhode Island said the hackers behind a recent ransomware attack on several of the state’s digital platforms have leaked some of the data that was stolen from the platform last month.

State officials said consulting firm Deloitte — the vendor that created its HealthSource RI affordable health coverage marketplace and the RIBridges system that manages social services programs — told them a ransomware gang released some of the files onto the dark web.

“This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information,” the state said in a statement on December 31. 

“Right now, IT teams are working diligently to analyze the released files. This is a complex process and we do not yet know the scope of the data that is included in those files, but as we’ve been saying for several weeks, we should assume that data contained in the RIBridges system has been compromised.”

The state is working with Deloitte to generate a list of impacted people and plans to send breach notification letters to those affected. It is estimated that about 650,000 use the state systems that were attacked. 

Gov. Dan McKee told reporters last month during a press conference that those who used the system likely had names, addresses, dates of birth, Social Security numbers, banking information and other personal information stolen by hackers.

Officials urged the thousands of people potentially impacted to freeze their credit, request fraud alerts from their bank, enable multifactor authentication on financial accounts and more. 

“People need to act fast when it comes to protecting their personal information, and for some, that includes keeping an eye on their child’s credit,” said McKee. “Our State is committed to providing timely updates and resources so that Rhode Islanders and their families can take action to secure their credit and data.”

Brain Cipher claims

The Brain Cipher ransomware gang initially claimed it breached Deloitte, but the company denied it was ever attacked. McKee later said Deloitte told the state on December 5 that the attack had actually targeted the systems the consulting firm built for the state. 

By December 23, the ransomware gang confirmed that the data it stole was from Rhode Island. McKee has faced some backlash locally after admitting that ransom negotiations were being handled by Deloitte and not by Rhode Island law enforcement, the FBI or other U.S. agencies. 

The attack has also had an outsized effect on crucial state services offered to Rhode Island residents, coming at a particularly difficult time as families prepared for the holiday season. 

RIBridges is used to determine eligibility for programs and benefits like Supplemental Nutrition Assistance Program (SNAP), Medicaid and cash assistance as well as affordable health coverage options offered through Health Source Rhode Island.

While access to the state’s marketplace for affordable health coverage has been restored, RIBridges is still unavailable to enrollment, forcing those in need to either go in person to state facilities or call state offices. 

Rhode Island said this week that it is expanding its call center hours through the first days of the new year to accommodate those who may need to choose a plan, make a payment, or otherwise inquire about the status of their account.

In July 2024, Brain Cipher attacked Indonesia's national data center, disrupting immigration checks at airports and a variety of other public services. Jon Miller, CEO of cybersecurity firm Halcyon, said the ransomware is a variant of the notorious LockBit 3.0 ransomware and emerged in June.