The state of Rhode Island is facing questions about its ongoing reliance on Deloitte after the personal information of hundreds of thousands of Rhode Islanders became potentially vulnerable during a recent cyber attack.
The hack was revealed late Friday and involves RI Bridges, the state’s portal for an array of health and public benefit programs.
How the breach happened remains the subject of an ongoing inquiry. Gov. Dan McKee has repeatedly urged Rhode Islanders who may be affected to protect themselves by taking the steps outlined on the state website cyberalert.ri.gov.
“We do not know yet the extent of data that the cyber-criminals have accessed,” the governor said, “but it could include Social Security numbers, date of birth and possibly banking information of anyone who has applied for or received benefits from services that are hosted by the RI Bridge program.”
McKee said acting now to secure data is important since it’s unclear when the hackers may make public the information they obtained.
The programs managed through RI Bridges include but are not limited to: Medicaid; Supplemental Nutrition Assistance Program (SNAP); Temporary Assistance for Needy Families (TANF); Child Care Assistance Program (CCAP); Health coverage purchased through HealthSource RI; Rhode Island Works (RIW); Long-Term Services and Supports (LTSS); General Public Assistance (GPA) Program; and At HOME Cost Share.
In a statement, Deloitte said it is working around the clock to resolve the situation, and the giant consulting company seemed to distance itself from responsibility for the hack: “Our investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network. No Deloitte systems have been impacted.”
But Brian Tardiff, Rhode Island’s chief digital officer, took issue with that assertion. He said Deloitte manages RI Bridges even if it is not hosted on the company’s website.
Asked during a Smith Hill news conference how the hack happened, and whether Deloitte was responsible, Tardiff said, “It’s an ongoing investigation, so we can’t provide any details at this point. We do expect a full root cause analysis that will provide those details.”
Tardiff added that RI Bridges “is maintained and operated by Deloitte, so we believe it [the breach] is not from the state.”
Tardiff declined to answer a number of questions, including whether state officials are negotiating with the hackers about what happens with the information to which they gained access.
Deloitte came under fire during the administration of former Gov. Gina Raimondo’s tenure for problems with UHIP, the computer system it built for managing human service benefit programs. Rhode Island paid tens of millions of dollars less than originally planned to the company due to the concerns.
Asked during a Q&A with reporters how he felt about renewing a contract with Deloitte in 2021, McKee said, “Well, if you asked me that question a few weeks back, I think you would have gotten a pretty positive answer. We just went through recertification of about 370,000 people on Medicaid, and there was no reason to call a press conference, right?”
Now, McKee said, “We’re certainly concerned about it. I’m not going to speculate on where it all ends, but I think [Brian] has indicated that they have a heavy responsibility to respond, which we’re working on, and we’ll let it play out in terms of what the legal ramifications are.”
WPRI reports that Deloitte faces a class-action lawsuit due to the breach.
State agencies have expanded hours to help Rhode Islanders who have questions about the situation or need assistance.