Ransomware attack on Rhode Island health services exposed personal data of hundreds of thousands
Hackers are threatening as early as this week to release the personal information of potentially hundreds of thousands of Rhode Islanders connected with RIBridge, the state’s health and social services system that suffered a cyberattack on Dec. 5, Gov. Dan McKee and state officials told media over the weekend.
Brian Tardiff, Rhode Island’s chief digital officer, said that the cybercriminals behind the attack threatened to release the data they claim to have obtained in the Dec. 5 cyberattack unless they receive a ransom payment. Tardiff did not specify the ransom deadline, amount of money demanded or if the hackers identified themselves.
“Any individual who has received or applied for state health coverage or health and human services programs or benefits could be impacted by this breach,” according to an update posted to the state’s website Friday after the cyberattack was detected.
The state’s benefits programs that may be impacted by the breach include Medicaid, Supplemental Nutrition Assistance Program, Temporary Assistance for Needy Families, Child Care Assistance Program, health coverage purchased through HealthSource RI, Rhode Island Works, Long-Term Services and Supports, General Public Assistance and Program At HOME Cost Share.
According to Rhode Island’s Office of Health and Human Services, the department each year serves more than 300,000 Rhode Islanders, including adults, children, senior citizens, individuals with disabilities and veterans. The benefits programs account for more than 40% of the annual state budget, roughly $3.1 billion.
On Dec. 5, the state was informed by Deloitte, its IT vendor, that there was a major security threat to the RIBridges system, according to the notice posted to the state’s website Saturday. On Dec. 10, Deloitte confirmed the cyberattack.
On Friday, the vendor told state officials that there was a high likelihood that cybercriminals had obtained files with personally identifiable information, such as names, addresses, dates of birth and Social Security numbers, as well as certain banking information.
In response, state officials took system offline on Friday to address the cybersecurity threat and restore operations.
McKee told media that Deloitte had hired a third party to handle negotiations with the cybercriminals, however, it remained unclear whether the vendor or the state would make the final decision about the paying the ransom.
“That conversation is going on directly with Deloitte and the cyber criminals. That’s how this process works, we’re learning a little bit about,” McKee said. “But we’re being notified on the progress on it, and ultimately, it does end up with that decision with me.”
