A sample of the free credit monitoring letter that went out to customers affected by the RIBridges data breach is seen curling on a windowsill. The credit monitoring is being paid for by system vendor Deloitte, and Rhode Island Gov. Dan McKee’s office announced Tuesday that the firm will also pay for $5 million in additional costs incurred since the December data breach. (Photo by Alexander Castro/Rhode Island Current)
The consulting firm that built and manages RIBridges has paid $5 million to the state of Rhode Island for expenses associated with the December data breach of the public benefits and health insurance system.
“Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support,” McKee said in a statement Tuesday.
A breakdown of the $5 million payment was not immediately available on Tuesday afternoon. Part of the cash will cover expenses incurred as a result of directly enrolling roughly 2,000 customers with Blue Cross & Blue Shield of Rhode Island and Neighborhood Health Plan of Rhode Island for the months of January and February, after the shutdown of HealthSource RI, the state’s health insurance marketplace, McKee’s office said
The temporary direct enrollment program was offered to connect customers directly to insurers if they needed coverage immediately for January and February. The HealthSource marketplace, along with the rest of the RIBridges network which includes programs like food stamps and certain home care services, was shut down after the breach’s confirmation on Dec. 13, 2024.
“HealthSource RI worked with insurance providers to offer customers who needed active coverage starting the 1st of the year to enroll directly with Neighborhood Health Plan of Rhode Island and Blue Cross Blue Shield of Rhode Island,” according to the press release. At least part of the $5 million is meant to cover the costs for these customers.
Gov. Dan McKee’s office announced the payment Tuesday, after postponing a morning briefing for reporters on the topic of RIBridges. No new date and time for the press conference were announced. McKee spokesperson Olivia DaRocha said in an email that an advisory would be sent ahead of time once a new date and time are set.
A Deloitte spokesperson did not immediately respond to requests for comment. Deloitte has paid an unspecified amount for credit monitoring and identity protection services for people potentially affected by the breach, a number estimated to be around 657,000. That number was determined during an ongoing forensic analysis of the breach, by examining which parts of the network had been affected by the cybercriminals, state officials said in January.
Globally, Deloitte made $67.2 billion in its fiscal year 2024, of which $33 billion came from the U.S.
In the meantime, the RIBridges system’s customer-facing HealthyRhode.RI.gov portal is largely back online. After system access was restored for state employees and other backend workers in early January, staggered waves of customers began to receive password reset emails after Jan. 23. The emails do not include links to reduce suspicion of phishing attempts.
After receiving instructions on how to reset their passwords, customers can log on once more to the RIBridges portal and access their data and apply for benefits. A popup message on the site Tuesday states new user sign ups are available again as well.
GET THE MORNING HEADLINES.