Hackers trying to extort the Rhode Island government infiltrated the state's public benefits system, causing state officials to shut down online services that let residents apply for Medicaid and other assistance programs.
"As part of this investigation today, we discovered that within the Rhode Island Bridges system, a cybercriminal had installed dangerous malware that constituted an urgent threat," Governor Dan McKee said at a Friday night press conference, according to The Providence Journal. "That is why tonight we have shut down the system. That means customers will temporarily not be able to access any customer portal related to the services on Rhode Island Bridges."
The vendor "Deloitte confirmed that there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," McKee's office said in a press release. Rhode Island has "proactively taken the system offline so that the State and Deloitte can work to address the threat and restore the system as quickly as possible."
The state decided to sign a new three-year contract with Deloitte in 2021 despite its earlier failure to build a stable system. RIBridges, originally called Unified Health Infrastructure Project (UHIP), launched in 2016 and "suffered from massive cost overruns before launch and catastrophic failures afterward," WPRI wrote in 2021.
The hack disclosed on Friday has already inspired a class-action lawsuit against Deloitte. The lawsuit was filed in a federal court yesterday.
Many state programs impacted
Information obtained by hackers "may include names, addresses, dates of birth and Social Security numbers, as well as certain banking information," the governor's office said Friday, noting that analysis of the breach was not complete.
"To the best of our knowledge, any individual who has received or applied for health coverage and/or health and human services programs or benefits could be impacted by this leak," the governor's office said. This includes Medicaid, Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Child Care Assistance Program (CCAP), health coverage purchased through HealthSource RI, Rhode Island Works (RIW), Long-Term Services and Supports (LTSS), and the General Public Assistance (GPA) Program.
An updates page said the state and Deloitte are still "focused on addressing the threat" and aren't yet saying when the RIBridges system will be restored. "We understand this is an alarming situation for our customers. Current customers will not be able to log into their account through the portal or the mobile app while the system is offline... Rhode Islanders seeking to apply for benefits can still submit a paper application."
Residents can still find the mail-in applications for health coverage and other forms of assistance at this webpage.
“Extortion-type activity”
At a press conference, Rhode Island Chief Digital Officer Brian Tardiff indicated that hackers are demanding money from the state but didn't reveal the amount sought. "This is not a ransomware attack where there has been malware executed within the environment, this is more of an extortion-type activity by this cybercriminal group," he said.
Deloitte first informed the state of a "potential cyberattack" on December 5, but it wasn't yet clear whether any sensitive information was breached, the state updates page said. Federal law enforcement and state police were notified, and the state and Deloitte worked on assessing the threat and implementing additional security measures.
The state said the hack wasn't disclosed publicly immediately after December 5 because "it was important, for security reasons, to keep this knowledge internal until we could secure the RIBridges system." Later, a hacker sent a screenshot showing file folders they'd accessed, and Deloitte found malicious code in the system.
"On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte," the state said. "On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat. State police and federal law enforcement are involved in an advisory capacity and no further leads have been provided."
The state said it will send letters to people whose personal information was compromised. The letters will explain how they can access free credit monitoring.
Deloitte contracted with Experian to run a call center (phone number: 833-918-6603), but call center staff will only "be able to provide general information about the breach as well as steps customers can take now to protect their data. Unfortunately, as the analysis of the data involved is still happening, call center staff will not be able to confirm whether a particular individual's data is or is not included in the breach at this time."