A computer monitor displays a diagram of the RIBridges system. The schematic, which was included in a 2024 request for proposal to help modernize the public benefits system, suggests the infrastructure had numerous security practices in place ahead of a December data breach. (Alexander Castro/Rhode Island Current)
Rhode Island’s online public benefits system appears to be a fortress with many defenses, including 15 different kinds of security and monitoring software, state documentation shows.
Despite those shields, a glut of data from the RIBridges system — which aggregates eligibility checks for programs like Medicaid, food stamps and the state’s health insurance market — was breached and leaked in December by Brain Cipher, a cybercriminal group. While the leaked data has been difficult to unearth, official comment continues to paint a portrait of system vendor Deloitte as the weak link.
Brain Cipher’s typical MO is ransomware, which encrypts files and can “brick” a system, making it basically unusable. Bad actors then promise to decrypt the files if victims pay a ransom.
But former U.S. Democratic Rep. Jim Langevin said in an interview Wednesday, “This was not a traditional ransomware attack…They didn’t brick Deloitte’s system. They copied the data and took it.”
Langevin, who formerly sat on the U.S. House Subcommittee on Cybersecurity and Infrastructure Protection, now chairs the Institute for Cybersecurity and Emerging Technologies at his alma mater, Rhode Island College.
Gov. Dan McKee has consulted Langevin since the start of the breach, and the former congressman praised the governor for informing the public as soon as possible, including a series of press conferences ahead of the breach’s public release.
Langevin said he was not privy to the discussions about whether or not to pay the hackers or to how much they were asking. However, he echoed the law enforcement stance that victims not pay ransoms. One reason many victims don’t pay is that their systems are adequately backed up.
“There’s no such thing as 100% cyber security, but you can narrow that aperture of vulnerability to something much more manageable,” Langevin said.
A slow data leak
The state’s stolen data was “on Deloitte’s system,” Langevin said. It was not pried from the RIBridges environment proper, which is physically housed at a state data center in Warwick, according to a request for proposal (RFP) posted in August 2024 that sought vendors to modernize the system.
A diagram included in the proposal shows vendors what they’d be working with: An array of virtual and physical machines, two operating systems, numerous network technologies and firewalls, and a sizable roster of applications. The system’s data was backed up redundantly — in copies upon copies — across multiple servers. These protections were further reinforced by state purchasing regulations for IT vendors — which, as of May 2024, prescribe up to millions in cyber insurance.
Connor Goodwolf, the Columbus, Ohio-based security engineer who previously shared his independent analysis of the leaked data with the Rhode Island Current, reviewed the system architecture diagram, which was buried in Rhode Island’s procurement website.
“If they deployed all the tech in the stack, then it’s not a leak of the full RIBridges system,” Goodwolf said in a text Wednesday, and pointed to a lack of evidence in the leak for one of the diagram’s software components.
“The hack was limited,” Goodwolf concluded, “or the [Brain Cipher] group released a limited set of data.”
Goodwolf’s automated downloader continues to get booted from the hackers’ web server, which has not been configured to allow resuming downloads. That makes it much harder for people to download the leak’s files, some of which are dozens of gigabytes in size.
But the developer has found less-than-ideal defense measures in the databases he was able to download. “Simple passwords across the board,” Goodwolf said over text, noting he had found one password that hadn’t been updated since 2017 — a violation of one security standard which RIBridges is designed to follow.
“I wonder how Deloitte is going to spin this,” wrote Goodwolf.
Deloitte has not responded to requests for comments from the Rhode Island Current since Dec. 19, 2024, when a spokesperson said the company had no comment. Deloitte confirmed that RIBridges data was in the breach advertised by Brain Cipher in early December.
Kristen Setera, a spokesperson for the FBI’s Boston office, and Lt. Col. Robert Creamer of the Rhode Island State Police declined to comment on any investigations related to the breach.
Rebuild or repair?
The state’s fiscal 2025 budget included $29 million for RIBridges, spread across three state agencies that deal with various pieces of the complex health and benefits platform: the Rhode Island Executive Office of Health and Human Services (EOHHS), the Rhode Island Department of Administration, and the Rhode Island Department of Human Services. The state budget office required EOHHS to make funding cuts to the “hardware/software” spending on RIBridges as part of the agency’s fiscal 2026 budget memo, submitted to the governor’s office Sept. 30, two months before the cyberattack.
But R.I. Health and Human Services Secretary Richard Charest lobbied against the full 35% cut in his budget memo, proposing a smaller cut of 25% to avoid increases in call waiting times, audits and “corrective actions” by regulatory federal agencies. The extra money is also needed to pay for software maintenance and updates, Charest wrote.
The state continues to meet IT security standards for RIBridges, at least as far as the Centers for Medicare and Medicaid Services (CMS) is concerned. CMS imposes heavy and precise regulations on state-run systems related to Medicaid and health insurance marketplaces, which are mandated by the Affordable Care Act.
Since first linking its state health exchange to CMS systems in 2013, Rhode Island has met all benchmarks during each federal reevaluation of the system, a CMS spokesperson said in an email Wednesday. Compliance with the standard, called MARS-E, is reviewed every three years, and Rhode Island was last evaluated in 2022, CMS said.
CMS does not regulate systems which might be attached but unrelated to a state’s Medicaid network. An administrative computer in one state department could theoretically provide a path to computers at another state agency.
A $419,120 contract the state awarded in October to Inspira Enterprise Inc. of Westlake, Texas, will assess the RIBridges system for compliance in fiscal years 2025 and 2026. But the proposal appears to focus mostly on web applications — and not overarching, state-level IT infrastructure that could interact with RIBridges.
Rhode Island House Minority Leader Mike Chippendale previously told Rhode Island Current that the state should ditch Deloitte and build a new system. On Jan. 2, 2025, the House Minority Caucus issued a statement with a similar message: “The fact that Rhode Island will not sever this abusive relationship with this failed company is a further head-scratcher.”
But what about the modernization RFP, which wants to rectify the existing RIBridges and make, in its words, “a continued investment to ensure systems are secure, scalable, and sustainable”?
Chippendale wrote in an email: “Yes, the RFP is seeking to make things right. But it’s akin to taking a building that was constructed improperly, poorly, out of code compliance with building specs, and then trying to convert it into a modern mansion.”
According to supplemental materials for the RFP, the RIBridges architecture comprises five main applications authored specifically for the system. Together, they make up nearly five million lines of code. It’s hard to say how big of an undertaking that entails — lines of code are not the most valuable metric, since programming languages and projects vary wildly in their needs — but it will be up to the contract’s awardee to conduct a thorough review of each line.
For Chippendale, Deloitte’s coding was sloppy from the start, and the representative pointed to oversight hearings at the State House during RIBridge’s rocky rollout in 2016. A third-party analysis then found that Deloitte’s code frequently lacked comments, or human-readable notations programmers use to explain their code’s purpose.
“Without those remarks it’s hieroglyphics that I first need to translate before I can modify it,” Chippendale said. “Now imagine that I was trying to figure that out with code that someone else, with a different style of coding, may have written.”
That process costs time and money, Chippendale said, so it “may very well be more affordable to start from scratch.” And while oversight hearings at the State House are valuable, the GOP leader said that in his dozen years on House Oversight, he thinks the committee is weaponized too frequently as an arena for Democratic party infighting.
But his colleagues in the General Assembly are indeed revving up the House and Senate oversight committees for hearings on the RIBridges breach.
Greg Paré, a Senate spokesperson, said in an email that the oversight hearings are currently being scheduled. Paré and Larry Berman, the House spokesperson, did not reply to a question as to whether Deloitte representatives would be compelled to attend the hearings.
Deloitte representatives did not attend any of the governor’s press conferences designed to inform the public about the breach, although state officials have said multiple times they expect the consultants — who have been paid more than $10 million in the current fiscal year — will show their faces eventually.
YOU MAKE OUR WORK POSSIBLE.