Deloitte hit with class action lawsuits following RIBridges cyberattack, state was warned

PROVIDENCE, R.I. (WLNE) — Deloitte, the contractor that runs the RIBridges system, has been hit with two class action lawsuits following the announcement from officials that a cyber security hack has put the personal information of state health and benefits programs at risk.

The lawsuit alleges that Deloitte “failed to adequately protect individuals’ sensitive personally identifiable information maintained in the Rhode Island system referred to as RIBridges.”

Former state Rep. Peter Wasylyk is representing two plaintiffs who filed the lawsuits, identified in the complaints as Ronald Pannozzi and Patricia Mahoney.

“This incident is just another example of the critical need for entities to take strong measures to safeguard such sensitive personal information,” said Wasylyk in a statement.

“When entities fail to protect individuals’ personally identifiable confidential data, affected individuals are left extremely vulnerable,” he said.

The lawsuit also alleges that Deloitte failed to implement adequate and reasonable cyber-security procedures and protocols, and maintained private information in a “reckless manner.”

During a press conference on Monday afternoon, Governor Dan McKee said things like Medicaid, Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Child Care Assistance Program (CCAP), Health coverage purchased through HealthSource RI , Rhode Island Works (RIW) , Long-Term Services and Supports (LTSS), General Public Assistance (GPA) Program, and At HOME Cost Share could have been affected by the data breach.

McKee also said that the state still doesn’t know the extent of the data that has been accessed by cyber criminals but it could include birthdates, social security numbers, and banking information.

The state’s website, Deloitte first informed the state about a potential cyber attacks on Dec. 5.

The next day, Deloitte did confirm there was a high probability that the breached folders contained personal and identifiable data.

Deloitte confirmed a malicious code present on Dec. 13., which is when the public was notified.

People who use or have used RIBridges to apply for services or benefits are urged to go to cyberalert.ri.gov for active updates and to utilize the call center at 833-918-6603.

Deloitte confirmed that Rhode Island’s system known as RIBridges is the “single client system” impacted by the Brain Cipher data breach.

In a statement, Deloitte said:

“We are aware of the claims by the threat actor. Our investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network. No Deloitte systems have been impacted. Upon learning that a state system supported by Deloitte had been attacked by an international cybercriminal group, we launched an investigation in collaboration with our client and law enforcement officials. While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve. We will continue to work around the clock to resolve this matter.”

In the state’s audit report from June 2023 from Auditor David Bergantino, Bergantino wrote that the state of Rhode Island had updated its current cybersecurity readiness and has “begun to identify risk mitigation priorities and the resources needed to implement necessary action. The state does not currently have sufficient resources dedicated for the size and complexity of operations and risk mitigation is not progressing quickly.”

Bergantino also wrote that although the state was continuing to enhance system security oversight, deficiencies seen over RIBridges and Medicaid Management “should be addressed.”

As this is an ongoing investigation, Deloitte said they can not comment further.