Deloitte Faces Class Action Lawsuits Over Rhode Island Cyber Breach
Deloitte Consulting has been hit with class action lawsuits over the cyber breach of Rhode Island’s portal for state-administered benefits known as RIBridges.
The suits have been brought in Rhode Island and New York federal courts on behalf of individuals who applied for or are enrolled in benefits offered by RIBridges and whose personal private information may have been hacked. The suit claims that Deloitte, as services provider for RIBridges, has been negligent for failing to protect the plaintiffs’ sensitive data and for being slow to notify them of the breach.
Deloitte has acknowledged that some of the information breached contained names, addresses, dates of birth and Social Security numbers, as well as certain banking information. The state has indicated there could be hundreds of thousands of people affected.
Despite learning of the data breach on December 5, Deloitte has not begun sending notices of the breach to affected individuals, according to the lawsuits.
Timeline
According to Deloitte, it first learned that the RIBridges data system was the target of a potential cyber attack on December 5. The company said it was unclear at that time if any sensitive information was breached. Federal law enforcement and agencies and the state police were notified.
“It was important, for security reasons, to keep this knowledge internal until we could secure the RIBridges system. At the same time, our team began an investigation into what data may have been compromised, and how a possible attack was able to occur,” Governor Dan McKee said.
On December 10, Deloitte confirmed the breach based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte told the state that there is a “high probability that the folders contain personal identifiable data” from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the state directed Deloitte to shut RIBridges down to remediate the threat.
Deloitte has indicated the Brain Cipher international ransomware gang is behind the breach.
Affected Individuals
McKee said any individual who has received or applied for health coverage and/or health and human services programs or benefits could be impacted by this attack. He said hundreds of thousands of applicants may be affected.
At a December 14 press briefing, McKee administration officials said the state has been warned that personal data could be exposed as early as this week. They said experts including Deloitte are in negotiations with the cyber criminals over any ransom to be paid. “The urgency is there,” McKee said.
State officials also said that Deloitte is handling negotiations with the criminals, although state and federal officials will be consulted before any ransom is paid.
RIBridges provides access to healthcare, insurance, food stamps, and other benefits available under various programs including Medicaid, Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Child Care Assistance Program (CCAP), Health coverage purchased through HealthSource RI, Rhode Island Works (RIW), Long-Term Services and Supports (LTSS) and the General Public Assistance (GPA) program.
Currently customers are not be able to log into their accounts through the portal or the mobile app while the system is offline. Those seeking to apply for benefits can still submit paper applications.
The state said it will be sending notifications explaining how to access free credit monitoring by mail, email and text to households that may have had personal information compromised. A dedicated call center has been activated at 833-918-6603.
As of Tuesday morning, state officials had not reported any identity theft or fraud related to this data breach yet. However, the state is advising customers to monitor their accounts for any unauthorized activity. He also urged citizens to take steps to freeze credit or place a fraud alert through the three major credit bureaus, change any common or reused passwords, and ask their bank what steps may be taken related to the security of their bank account.
The state has set up a site for updates on the RIBridges situation at cyberalert.ri.gov.
Deloitte Statement
Deloitte offered no comment on the litigation. Deloitte issued this statement on December 13:
“Upon learning that a state system supported by Deloitte had been attacked by an international cybercriminal group, we launched an investigation in collaboration with our client and law enforcement officials. While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve. We will continue to work around the clock to resolve this matter.”
Deloitte also confirmed that none of its own systems have been impacted by the attack on the Rhode Island system, which sits outside of the Deloitte network.
Class Actions
The lead plaintiffs in the suits are Ronald J. Pannozzi of Providence, Patricia Mahoney of North Providence, and Claire A. Taraborelli of Cranston. The suits claim the plaintiffs are aware of the dangers of identity theft and fraud and have take steps to mitigate the impact of the breach. As a result of the data breach, the plaintiffs and an unspecified “thousands of class members” will suffer financial losses resulting from identity theft, out-of- pocket expenses, the loss of the benefit of their bargain, and the value of their time incurred to remedy or mitigate the effects of the attack, according to the complaints.
The class actions seek compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief including improvements to Deloitte’s data security systems, future annual audits, and adequate, long term credit monitoring services funded by Deloitte, and declaratory relief.
The RIBridges incident comes just a few months after the Providence school system had to deal with a cyber breach. In September, school system officials learned that information may have been accessed by an unauthorized actor between August 30 and September 11, 2024 and that the information could include names, addresses, and social security numbers of employees. The number of individuals potentially impacted included 12,000 current and former employees.
- Surviving the ‘Silver Tsunami’: Closing the Talent, Skills Gap in Underwriting
- Cleveland Clinic Plans New Hospital, Larger Outpatient Center in South Florida
- Senate Says Climate Is Causing Insurance ‘Crisis’; Industry Strikes Back
- People Moves: Chubb’s Westchester Announces New Head of Programs, COO