Deloitte offices in London, England. (Photo by Jack Taylor/Getty Images) (Photo by Jack Taylor/Getty Images)
The cyberattack on Rhode Island’s online system for enrolling residents on Medicaid and other human services benefit programs and signing up for commercial health insurance plans is tied to a breach in the United Kingdom earlier this month.
The data breach that may have exposed personal information of hundreds of thousands of Rhode Islanders is the same breach the Brain Cipher ransomware gang took responsibility for in a Dec. 4 post on their dark web site.
Governor urges Rhode Islanders to take precautions to protect personal data
The UK branch of accounting firm Deloitte denied that their internal network or systems had been hacked on Dec. 4 in a statement — but they did specify that a “single client’s system which sits outside of the Deloitte network” had possibly been breached.
A spokesperson for Deloitte Consulting confirmed Monday morning that the “single client system” affected in that attack is Rhode Island’s RIBridges system, which is managed by Deloitte.
“I can confirm that the State of Rhode Island’s system known as RIBridges is the ‘single client system’ impacted by the Brain Cipher data breach earlier this month,” wrote Karen Walsh, a spokesperson for Deloitte, the vendor that manages RIBRidges, in an email Monday.
On Dec. 5, Deloitte informed Rhode Island officials that the RIBridges system may have been breached, but it was unclear then if sensitive information had been leaked. By Dec. 10, Deloitte confirmed the RIBridges breach, with a screenshot of file folders hackers sent by the hacker to Deloitte. On Dec.11, Deloitte confirmed that there was “a high probability that the implicated folders contain personal identifiable data from RIBridges.”
The RIBridges system was taken offline Friday afternoon, Dec. 13, after Deloitte confirmed there was malicious code present in the system. Typically, networks are taken down to prevent hackers from acquiring more information on infiltrated networks, and to purge attackers from areas they’ve already affected.
Brain Cipher allegedly seized 1 terabyte of data from Deloitte UK. That’s also the same amount of data alleged in the RIBridges hack, Rhode Island Chief Digital Officer Brian Tardiff cited at a press briefing Saturday night.
Deloitte also issued a statement on Friday, Dec. 13, the same day Gov. Dan McKee announced the breach of the RIBridges system:
“Upon learning that a state system supported by Deloitte had been attacked by an international cybercriminal group, we launched an investigation in collaboration with our client and law enforcement officials,” the statement said. “While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve. We will continue to work around the clock to resolve this matter.”
The number of people whose information was potentially compromised is still unknown, as a forensic analysis of the breach is still ongoing. But McKee suggested Friday that it could be “hundreds, thousands,” given the vast array of social services affected by the attack.
Brain Cipher Targeted Indonesia’s temporary National Data Centers in June, according to a report in information security and technology news publication Bleeping Computer. That cyberattack encrypted the government’s servers and disrupted immigration services, passport control, issuing of permits, and other services.
Walsh, the Deloitte U.S. spokeswoman, could not provide additional details on the RIBridges breach. “As this is an ongoing investigation, I cannot say more,” she wrote.
Gov. Dan McKee and members of his administration were scheduled to hold a briefing on the data security threat to RIBridges at 3 p.m. at the Department of Administration. State officials will review steps the state is taking to communicate with potentially affected Rhode Islanders. RIBridges, formerly known as the Unified Health Infrastructure Project (UHIP), serves approximately one third of the state’s population.
But anyone who has ever applied for benefits, not just those who are receiving benefits, may be impacted by the data breach.
The programs impacted include:
- Medicaid
- Supplemental Nutrition Assistance Program (SNAP)
- Temporary Assistance for Needy Families (TANF)
- Child Care Assistance Program (CCAP)
- Health coverage purchased through HealthSource RI
- Rhode Island Works (RIW)
- Long-Term Services and Supports (LTSS)
- General Public Assistance (GPA) Program
- At HOME Cost Share
GET THE MORNING HEADLINES.