Rhode Island Attorney General Peter Neronha is considering possible legal action against state contractor Deloitte following a third-party review into a cyber-breach that put the personal data of more than a half-million Rhode Islanders at risk.
“The state is pursuing all available remedies at this time,” Neronha spokesman Tim Rondeau told The Public’s Radio.
Gov. Dan McKee used a Statehouse news conference Thursday to detail the findings of a review by cyber-security firm CrowdStrike, including how the breach of RI Bridges, the state’s online portal for health and human service benefits, went undetected for about five months before being discovered last December.
McKee said CrowdStrike’s findings show that a “threat actor” gained access to RI Bridges last July through unauthorized use of Deloitte credentials. The breach was not discovered until December.
“Deloitte missed some issues that we certainly hold them responsible for,” McKee said. “And we want the Rhode Islanders — first of all, we thank you for your patience relative to this issue, but we also want to make sure that people know that we will pursue all avenues in our efforts to ensure accountability.”
Deloitte did not immediately respond to a request for comment.
McKee and other state officials said the latest information shows that 644,401 people were potentially affected through the cyber-breach, including 107,757 names recently uncovered through CrowdStrike’s forensic analysis.
The governor said steps have been taken since the breach was discovered to safeguard RI Bridges from another attack. He said the state continued to distribute planned benefits without interruption despite the breach.
McKee said letters will go out to newly identified individuals who face potential risk to their data.
In a statement, the governor’s office said, “Since December, when the State first became aware of the data breach, the McKee Administration has repeatedly advised the public to take steps to safeguard their personal information, regardless of whether they had any connection with the RIBridges data system.”
The statement continued: “The public is advised to visit the cyberalert.ri.gov website for information on how to monitor and freeze your credit and request a fraud alert. It also advises the public to use multifactor authentication and beware of unsolicited emails, calls or texts requesting personal information.”
