Gov. Dan McKee called the deadline given by hackers who installed malicious malware on the RIBridges system and demanded a ransom a “moving target” at a press conference late Saturday afternoon.
This article was originally published by Rhode Island Current.
Time is of the essence for hundreds of thousands of Rhode Islanders to take steps to shield their digital identities after state officials Friday acknowledged a major cyberattack on the state’s system for enrolling on Medicaid and other social service programs or signing up for commercial-based health care plans.
Gov. Dan McKee called the deadline given by hackers who installed malicious malware on the RIBridges system and demanded a ransom a “moving target” at a press conference late Saturday afternoon.
“Based on our latest information we have, the data could be exposed in the near future as early as this coming week,” McKee said.
State officials declined to comment on the ransom amount.
RIBridges, formerly known as the Unified Health Infrastructure Project (UHIP), serves approximately one third of the state’s population. That includes more than 46,000 individuals enrolled in health plans through the state’s health insurance marketplace, HealthSource RI, as well as over 8,000 more through the small group options offered to employers in the state. But the data breach could impact people who have applied for but are not receiving benefits. And it’s unclear how many years of data could have been exposed.
Rhode Island has nearly 1.1 million residents, according to the 2020 Census.
No representative from Deloitte, the vendor that manages the RIBridges system, was present at the news conference.
McKee relinquished the podium to a federal cybersecurity expert who strongly encouraged residents to enable multi-factor authentication on their bank or credit card accounts, sign up online for free credit monitoring services through major credit bureaus and use passwords that are 10 to 12 characters long.
“In talking with the governor, it is possible that we’re going to have some additional credit monitoring provided by Deloitte as part of the partnership and work that they’re doing together,” said Michael Tetreault, cybersecurity advisor at CISA U.S. Department of Homeland Security.
The RIBridges system is used to serve vulnerable residents who rely on assistance for health care, food, child care, adult day care and emergency housing.
The system was taken offline Friday afternoon after Deloitte confirmed a major security threat had occurred and that there was a “high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges.” Networks are typically taken offline to prevent further intrusion on systems.
Effective Monday, the Department of Human Services will revert back to paper application processing, said Director Kimberly Merolla-Brito.
“We formerly used to do this and are confident that we’ll be able to help individuals in need of human service benefits and services,” Merolla-Brito said.
Merolla-Brito said Electronic Benefits Transfer (EBT) cardholders can place a freeze on their cards to prevent the card or benefits associated with the account from being used via the ebtEDGE online portal. Cardholders who lost or misplaced their cards or fear they may have been compromised can also call the EBT customer service line at 1 (888) 979-9939.
State officials learned of the possibility that the system was the target of a potential cyberattack on Dec. 5 from its vendor Deloitte. At that time, the FBI and the Rhode Island State Police were notified.
On Tuesday, Dec. 10, Deloitte confirmed there had been a breach of RIBridges based on a screenshot of file folders sent by the hacker to Deloitte. On Friday, Dec. 13, Deloitte confirmed there was malicious code present in the system, prompting the shutdown of the system.
The state will provide updates at https://admin.ri.gov/ribridges-alert.
Update: This story has been clarified to reflect that the data of applicants and not just current beneficiaries could have been exposed.