Rhode Island has publicly unveiled the findings of a third-party investigation into the RIBridges cyberattack and subsequent data breach that occurred in 2024. This was announced during a press conference featuring Governor Dan McKee and Chief Digital Officer Brian Tardiff. The analysis, conducted by cybersecurity firm CrowdStrike, outlined a prolonged five-month timeline of the breach, indicating that approximately 644,401 individuals were affected.
RIBridges, managed by Deloitte, is a critical system for administering essential social services, including health insurance, food assistance, and the Child Care Assistance Program.
Previously reported insights indicated that on December 5, 2024, Deloitte notified the state of a potential security compromise, suggesting a high probability that sensitive information had been accessed by a cyber adversary. The Brain Cipher group later claimed responsibility for the hack. In response, Rhode Island temporarily disabled the RIBridges system and issued notification letters to nearly 650,000 individuals.
The comprehensive report from CrowdStrike shed light on the methods used by the attacker to infiltrate the RIBridges environment, detailing how they accessed, staged, and exfiltrated data across 28 different systems. Examining post-incident analyses of such breaches can help organizations enhance their cybersecurity measures.
CrowdStrike analysis reveals breach timeline, access details
The breach began on July 2, 2024, when the attacker gained access to the RIBridges system through unauthorized use of Deloitte credentials. According to the CrowdStrike report, the attacker successfully authenticated to the RIBridges non-production virtual private network (VPN) from an external IP address using a non-privileged account not associated with the state of Rhode Island.
While CrowdStrike could not ascertain the exact method the attacker used to obtain these credentials, nor confirm if multifactor authentication (MFA) was circumvented, the report detailed that the following day, the cyber adversary initiated remote desktop sessions to application servers and extended access across six additional RIBridges systems.
Throughout July 2024, the attacker engaged in reconnaissance activities, escalated privileges, harvested credentials, and used readily available remote monitoring tools to persistently maintain access to the RIBridges infrastructure. From July to November, the adversary actively browsed files and interacted with various folders before transferring stolen data to an external cloud service.
Despite the extensive breach, CrowdStrike reported no evidence of ransomware deployment within the RIBridges environment, nor were any ransomware-related notes discovered. Discussions between CrowdStrike, Rhode Island, and Deloitte revealed that neither entity detected the typical impacts associated with ransomware incidents.
Access to the RIBridges environment was last noted on November 28, 2024, with no subsequent activities detected. The investigation indicated that 114,000 individuals who received breach notifications in January 2025 were not, in fact, affected. Conversely, an additional 107,000 impacted individuals were found who had not been previously notified, totaling 644,401 individuals affected by this breach.
Recovery, notification efforts underway
Since the breach was identified in December 2024, Rhode Island and Deloitte have been actively informing those impacted and seeking resolutions to the fallout from the RIBridges hack. Governor McKee emphasized at the press conference that the series of incidents and associated risks to the public are unacceptable, holding Deloitte accountable for the oversight.
As part of their response, Deloitte committed to providing $5 million in remediation costs to Rhode Island, covering expenses incurred by approximately 2,000 HealthSource RI customers who had to switch to alternative plans post-breach. The financial assistance also extended to credit monitoring and identity theft protection services for those affected.
Moving forward, the state is exploring options to modernize the RIBridges system currently managed by Deloitte, with intentions to transition to a new infrastructure altogether. Such measures aim to fortify cybersecurity defenses and mitigate the risk of future breaches.
As cyber threats continue to evolve, proactive measures are essential for safeguarding sensitive data. In this incident, tactics categorized under the MITRE ATT&CK framework suggest that initial access was likely achieved through credential theft, while persistence and privilege escalation techniques were employed to maintain footholds in the environment. All entities managing sensitive data must remain vigilant and adapt their cybersecurity strategies in response to ongoing threats.
Jill McKeon has provided coverage on healthcare cybersecurity and privacy issues since 2021.
