Personal data of Rhode Island residents breached in large cyberattack
The personal and private information of possibly hundreds of thousands of people who applied for government assistance in Rhode Island could be in the hands of hackers after a huge cyberattack, state officials said Friday.
The cybercriminals said to be behind the attack threatened to release the data unless they received a payment, said Brian Tardiff, the state’s chief digital officer.
Hackers gained access to RIBridges, the state’s online portal for obtaining social services, such as the Supplemental Nutrition Assistance Program, known as SNAP, and Medicaid benefits, as well as health insurance through the state’s marketplace for coverage, HealthSource RI, officials said at a news conference Friday.
Other programs under RIBridges include ones for financial assistance to low-income families, child care help, employment assistance, long-term care for disabilities and cash assistance.
Anyone who has applied for or received benefits through those programs since 2016 could be affected, the state said.
Gov. Dan McKee said the state and its vendor, Deloitte, are investigating the cause of the breach and what information was obtained. He said it was still unclear exactly how many people might be affected but estimated it could be hundreds of thousands of benefit applicants.
There is a “high probability” that highly sensitive information, including Social Security and bank account numbers, were stolen, according to a news release from the governor’s office.
Institutions have been dealing with cybercriminals, including a ransomware attack that disrupted health care services in at least three states and another that snarled payroll and scheduling services for prominent international companies, including Starbucks and one of Britain’s largest grocery store chains.
In Rhode Island, the state was first informed by Deloitte that the RIBridges system was the target of a potential cyberattack Dec. 5, according to the governor’s office. By Tuesday, it had received confirmation of the breach after a screenshot of file folders was sent to Deloitte by a hacker.
The next day, Deloitte confirmed that there likely was sensitive information in the folders, and Friday, the company confirmed that there was “malicious code present in the system.”
The state then “directed Deloitte to shut RIBridges down to remediate the threat,” according to the governor’s office.
In a statement Saturday, Karen Walsh, a Deloitte spokesperson, said that the attack had been perpetrated by “an international cybercriminal group” and added that the company began an investigation “in collaboration with our client and law enforcement officials.”
The malware found in the system could have caused “catastrophic damage,” Tardiff, the state’s chief digital officer, said at the news conference.
Tardiff said the hackers threatened to release the sensitive information unless they were paid an undisclosed amount but he added that this was not a ransomware attack. “This is more of an extortion-type activity,” he said.
Benefits for December from the affected programs have already been disbursed, said Kimberly Merolla-Brito, director of state’s Department of Human Services. Anyone looking to apply for new benefits will need to file paper applications until the system is running again.
The attack and subsequent shutdown comes at a busy time, said Lindsay Lang, director of HealthSource RI, as the state is going through its annual open-enrollment period for health insurance, when people apply for or renew coverage.
“The good news is that, so far, we know that Rhode Islanders are doing what they need to during open enrollment to get and stay covered,” she said, adding that open enrollment ends Jan. 31.
Households known to have been affected by the breach will receive a letter from the state explaining how to access free credit monitoring, according to the governor’s office. Additionally, a dedicated call center will be available for anyone affected, starting at 11 a.m. on Sunday.
The governor’s office said it was unaware of any identity fraud or theft resulting from the data breach, but anyone affected is urged to “remain vigilant and monitor their accounts for any unauthorized activity.”
This article originally appeared in The New York Times.