An extreme closeup of a free credit monitoring letter that went out to customers affected by the RIBridges data breach in early January, explaining the breach and how to access the monitoring and identity protection services paid for by system vendor Deloitte.
(Photo by Alexander Castro/Rhode Island Current)
After more than a month offline, the doorway to Rhode Island’s health insurance and public benefits portal will reopen for a few thousand Rhode Islanders.
The state will phase in customer access to the RIBridges portal, HealthyRhode.ri.gov over the next few weeks, Gov. Dan McKee and state officials said Thursday at the State House.
“The customer portal has received a clean bill of health,” McKee said. “This effort is not, however, as simple as flipping a switch. We’re going to relaunch the system by gradually increasing user capacity.
As early as Friday morning, a few thousand randomly selected accounts will receive emails with instructions on how to reset passwords in the initial phase of restoring public access for the health insurance and social services portal. Clients will need to craft a new password to access the website, which shuttered in December after system vendor Deloitte acknowledged a cyberattack that stole approximately a terabyte of data.
The reopening comes after Deloitte and a third-party auditor determined the system is safe to go live on the frontend. The administrative backend of the site, used by state employees, returned earlier this month.
The password reset emails will not contain any clickable links, and will be sent from the address notice@uhip.ri.gov. Customers who do not receive the password email will remain unable to log in. The state is controlling access to the portal so it can gauge the system’s readiness for a full return to normal operations. New accounts cannot be created at this point either, said the governor.
“We need to limit the number of people logging in at the beginning,” McKee told reporters at a media briefing.
Phase one could take about a week or two, said Chief Digital Officer Brian Tardiff, but there could be fewer waves of password reset emails than planned if everything proceeds smoothly.
The new password requirements for HealthyRhode are:
- 10-15 characters (longer than the previous requirement of eight characters)
- At least 1 number
- At least 1 special character
- At least 1 uppercase and 1 lowercase letter
- Must not repeat a character more than twice in a row
- Must not contain the account username
Cybersecurity experts recommend changing your passwords on other sites where you might have used a breached password or username. So if you used your HealthyRhode.ri.gov username and password combination in other places, it’s a good idea to change your passwords on those sites. Password managers, which are native to modern browsers like Google Chrome and are often searchable, can help you determine if you’ve used the same username or password combination on multiple sites. An online generator can create very long and hard to crack passwords that will likely satisfy the system’s new password requirements.
Lindsay Lang, the director of health coverage market HealthSource RI, reminded residents that the open enrollment period has been extended to the end of February this year.
“Customers who are carried over from their 2024 coverage without having picked a plan, or for folks who are not automatically renewed for coverage for 2025, now is the time to give us a call,” Lang said.
Hidden strengths and plot danglers
The RIBridges saga may seem to be in its denouement with the breached system gradually getting back online, but numerous plot threads remain dangling.
Most curious is the continued absence of mega-consultancy Deloitte at the governor’s press events. State officials held out hope a representative from the company — which made $67.2 billion in its fiscal year 2024 — might show up eventually.
“Deloitte is very focused on the effort of restoration, and as we’ve stated, at the right moment, we would expect that Deloitte would be here with us,” Tardiff said. “We’re still in restoration. So upon full restoration, we will, we’ll have those conversations.”
A Deloitte spokesperson did not respond to a request for comment Thursday afternoon.
There’s also the matter of programs and people affected. Independent analyses have not clarified the type of data stolen. Breached data includes Social Security Administration data strings used to crosscheck the incarceration status of applicants, which could apply to a wide variety of social services. The official list of programs affected numbers nine, and includes Medicaid, food stamps, Rhode Island Works, dementia home care servives and others.
“It’s our goal to provide as many details as we can after a thorough security and legal review,” Tardiff said. “Cybersecurity is tricky, and we certainly don’t want to expose any information that could further expose the state to risk.”
It’s remained difficult to understand the actual contents of the data dump, even for Deloitte. Tardiff said the company has processed “about two-thirds” of the breached data. If the hack truly pilfered about 1 terabyte, that means Deloitte has downloaded about 666 gigabytes so far. The data has been downloadable from the cybercriminals’ website since Dec. 30, which means the firm has been able to download about 28 gigabytes daily.
But screencaps of the hackers’ advertised files differed greatly in size, and state officials have pointed to a slow dark web server hosting the downloads as another obstacle to analysis. It’s unclear just how much of an arduous task it’s been for Deloitte to download, parse and verify the data, but Tardiff suggested the excruciatingly slow process of system recovery is absorbing all Deloitte’s efforts.
Still, how did the state ascertain the colossal numbers of people affected — 657,000 Rhode Islanders, in a recent estimate — if it still has not seen all the data that was stolen?
“That number was based off of the forensic evidence that identified where the bad actor had presence within the system,” Tardiff said. “So the number that was generated is a summarization of where we see their access.”
Asked if the state would continue working with Deloitte, Tardiff replied, “Right now they are contractually obligated to deliver services, and as we’ve stated in previous press conferences, we do have a strategic plan in process to explore options to replace and modernize the system.”
Everything you need to know about RIBridges’ backend was on the internet for the past six months
That modernization proposal included a previously public scope of work document that had been living, in two separate places, on the state’s procurement website since at least June 2024. The document contained a revealing schematic of the RIBridges infrastructure, with lists of software and hardware version and model numbers offering possible insight into vulnerabilities. Rhode Island Current reported Wednesday that after making repeated inquiries, the scope of work documents had been removed from their respective request for proposals pages.
Asked about the potential security risks in that once-public document, Tardiff repeated what his colleagues in the Department of Administration said last week:
“I can’t comment on any perceived or potential cybersecurity risks,” he said, then swiftly added, “or strengths, for that matter.”
YOU MAKE OUR WORK POSSIBLE.