Sun. Dec 22nd, 2024

A Christmas tree decorates a waiting area in the Rhode Island Department of Administration on Dec. 16, 2024 — a festive display glimpsed just after Gov. Dan McKee and state officials held a press conference on the RIBridges breach. (Alexander Castro/Rhode Island Current)

As a gentle snow fell over the state Friday evening, all appeared quiet on the dark web blog of an international cybercriminal group threatening to release the personal data of hundreds of thousands of Rhode Islanders allegedly stolen from the state’s public benefits system. 

The cybercriminal group Brain Cipher reset the deadline for paying its ransom demand several times over the past week. Unless the ransom amount — still undisclosed — is paid, the hackers threaten to release data from the RIBridges system, which is managed by the global consultancy Deloitte. The data could include names, addresses, dates of birth, Social Security numbers and banking information from people who have ever applied for benefits like food stamps and Medicaid or commercial health insurance through the online portal.

The public may never learn or know a play-by-play of the breach. But the state Auditor General’s fiscal 2023 report cited a number of “severe deficiencies” in the state’s IT procedures, and even warned of a possible breach within RIBridges. 

“The state has the final responsibility to ensure that its vendors are responsive to state and federal requirements,” said Ken Block, president of Barrington’s Simpatico Software Systems, in an interview Friday. “The state has the final responsibility to ensure that its vendors are responsive to state and federal requirements.”

“In my work as a state contractor to the state of Texas and Illinois and the government of Puerto Rico, I have been the recipient of security audit findings and other audit findings,” Block said. “And in every circumstance, we weren’t given years or decades to fix the problems; we were usually given months.” 

Deadline is moving target

The latest extension on the ransom came early Friday evening, already well past the Dec. 15 deadline cited in early reports of Brain Cipher’s cyberattack targeting Deloitte, which state officials first made public on Dec. 13. The new ransom deadline is now around 5 p.m. on Sunday, Dec. 22. 

Connor Goodwolf, a cybersecurity expert and software engineer based in Columbus, Ohio, has monitored Brain Cipher’s clock all week. On X, he said that the hackers may wait until Christmas to add a surprise element to the dump. There are reasons for both sides to manipulate the deadline, he said in an email to Rhode Island Current. 

A close-up photograph of a proposal submitted by cybersecurity company Inspira to the state of Rhode Island shows a timeline for penetration testing on the RIBridges system. Also called pen testing, the method safely simulates attacks on a computer network to gauge system vulnerabilities. (Alexander Castro/Rhode Island Current)

Goodwolf recommends that law enforcement agencies ask for more time, even when they have no intention of paying. 

“My stance is to NEVER pay a ransom, regardless of the value of the data, as paying a ransom will fund the group(s) which will result in an amplification of attacks by the group,” he wrote.

Delaying the deadline gives victims more time to evaluate the breach’s true severity but also provides ransomers the opportunity to try to persuade additional stakeholders why they should pay up, Goodwolf said.

Goodwolf said he was “curious” how Deloitte will fare in its own digital audits.

“Based on the statement from Brain Cipher, Deloitte was not following the standards and processes they chose to follow,” Goodwolf wrote, pointing to Deloitte’s public documentation of its compliance with a standard called SOC 2, which typically tests annually. 

The state, meanwhile, appears to be keeping up with federal requirements to monitor its systems, regardless of who builds or maintains them. In October, a $419,120 contract was awarded to Inspira Enterprise Inc. of Westlake, Texas, for a security assessment of the RIBridges system in fiscal years 2025 and 2026.

Inspira’s proposal shows the type of work the firm would be doing: penetration testing of the RIBridges system, per federal rules that require regular checkups for health care exchanges.

A pen test is “a simulated cyber-attack against your computer system to check for vulnerabilities that an attacker could exploit,” Jesse Roberts, senior vice president of cybersecurity at North Providence’s Compass Cyber Guard, said in an email Friday. “It’s like hiring a hacker to try to break into your system, but in a controlled and safe manner.”

“Such contracts can indeed seem costly,” Roberts said of the Inspira contract. “However, the price reflects the thoroughness and complexity of the testing and the scope of the testing. Without knowing what the scope is I cannot say for sure if it is overpriced.”

Pen testing can help define the severity of vulnerabilities, Roberts said, which can exist without being exploitable for unauthorized access. And existing vulnerabilities are not necessarily the entire story behind the breach, Roberts said as Brain Cipher “usually gains a foothold using social engineering, which is attacking the human element.”

Pondering divorce from Deloitte, or at least alimony

Legislators have different ideas for what should come next. House Speaker K. Joseph Shekarchi said Monday it was too early to consider oversight hearings, with the breach’s forensic analysis still ongoing.

Sen. Sam Bell, a Providence Democrat who has criticized both Deloitte and his fellow Democrat Gov. Dan McKee on X since news of the breach dropped, was more willing to speak up.  

“What I’ve heard is outrage,” Bell said via text message when asked about his constituents’ thoughts on the breach. “If they’ve heard about it, people are scared, and they don’t know what to do. Most importantly, they want to know what will be done to make them whole and compensate them for the stress and disruption to their lives. It’s appalling that McKee has yet to even discuss doing that.”

Rhode Island House Minority Leader Mike Chippedale called the breach “yet another reminder of why severing ties with Deloitte is imperative,” he wrote in an email Thursday.

Just two weeks ago, at the Dec. 6 National Convention for the Council of State Governments in Louisiana, Chippedale attended a session discussing technology. To the Foster Republican’s horror, the chatter circled around to Deloitte — and specifically RIBridge’s first iteration, UHIP — “as a prime example of ‘what not to do,’” Chippendale said.

“As I sat among legislators from nearly every state in the union, I was embarrassed,” Chippendale wrote.  

Rhode Island is not the only state to embrace Deloitte and its spotty track record. A September feature in Fortune surveyed a trail of incompetence and frustration left by Deloitte-made Medicaid eligibility systems across the country. Rhode Island’s contract is around $99 million, while other states like California and Illinois have paid hundreds of millions for their Deloitte contracts, according to Fortune.

“This may seem radical, but the only logical path forward is to scrap the UHIP/Bridges system entirely,” Chippendale argued. “Yes, it will require absorbing significant costs upfront, but continuing to invest in a fundamentally broken system is throwing good money after bad.”

As I sat among legislators from nearly every state in the union, I was embarrassed.

– Rep. Mike Chippendale, the Rhode Island House Minority Leader, when the topic of the RIBridges system came up at a national conference

Block noted the RIBridges system has overpaid or mismanaged certain benefits from its inception in 2016, which led to a $50 million fine from former Gov. Gina Raimondo’s administration.

“To me, someone who supported a benefit system for food stamps, eligibility determinations isn’t hard,” Block said. “I can’t for the life of me understand why our system isn’t getting it right… In my opinion, the contractor should be held accountable and should have to pay for those monies that are improperly deducted.”

A close read of the message posted to Brain Cipher’s dark website suggests the hackers’ motivation is partially to shame Deloitte.

“We will compare the contract between the customer and the contractor (Deloitte.com) with the results of its execution,” the ransom page reads.

Aside from affirming the hack’s victim and perpetrator, Deloitte has been largely mum since Monday. When asked several followup questions on Thursday, including if a Deloitte representative would eventually attend a press briefing in Rhode Island, a company spokesperson could only repeat what had already been said.

Wrote Karen Walsh, Deloitte’s governmental affairs spokesperson: “As I said earlier in the week, because this is an ongoing investigation, I cannot comment further.” 

Pressure on HealthSource RI

RIBridges has been shut down as technicians work to recover the system back to a workable, malware-free state. Officials have not given estimates on when things will return to normal. That imprecise timeline poses a challenge because HealthSource RI, the state’s health insurance marketplace, is partially integrated into RIBridges and is in the middle of open enrollment. Jan. 31 is the deadline to renew or select new health insurance coverage to take effect Feb. 1.

Christina Spaight O’Reilly, a HealthSourceRI spokesperson, said in an email: “Many of our customers are already in the pipeline for January coverage and have paid for 2025 coverage or are enrolled in auto-payments. They are all set.”

Customers who still need to pay for January coverage can visit standalone CVS locations, or pay by phone. More significantly affected are first-time applicants applying to HealthSourceRI, who can’t use the online portal. Paper applications were considered as a “stopgap measure” during the system’s downtime but were ultimately rejected, O’Reilly said. Any penciled-in data would need to be uploaded to the system once it’s back up, and having to manually enter the data later on wouldn’t save any time in the long run. 

The HealthSourceRI website, which remains online, features an eligibility tool to help people review options. 

“This way, when the system is online we will be ready to help these customers get enrolled more efficiently,” O’Reilly said. 

O’Reilly said the customer call center received less than 100 calls related to the breach on Tuesday, out of more than 1,800 calls overall. “That volume is not unusual for our Open Enrollment period,” she added. 

Wait times averaged under 10 seconds, and chat agents online saw 60 inquiries that same day. Those were the most recent numbers O’Reilly was able to send as of Thursday evening.

A spokesperson for the Rhode Island Department of Human Services acknowledged questions about the breach’s impact on Wednesday, but did not reply to a followup on Friday.

YOU MAKE OUR WORK POSSIBLE.

By