Repeated Warnings Ignored Before Devastating RIBridges Cyberattack
Providence, RI – A significant cyberattack targeting RIBridges, Rhode Island’s public benefits system, has exposed the private data of potentially hundreds of thousands of residents. This incident follows repeated warnings from state auditors about critical cybersecurity vulnerabilities within the state’s infrastructure, raising serious questions about the state’s preparedness and response to such threats.
Months before the attack, the state auditor general issued a scathing audit for fiscal year 2023, explicitly highlighting the state’s inadequate cybersecurity resources.
The audit stated, “The state currently does not have sufficient resources dedicated for the size and complexity of state operations,” and criticized the slow pace of risk mitigation efforts.
This wasn’t a new concern; previous audits contained identical warnings, underscoring a pattern of neglect.
The April 2023 audit specifically flagged vulnerabilities within RIBridges and the Medicaid Management Information System, stating,
“Certain internal control deficiencies should be addressed to improve the state’s monitoring of information systems security over RIBridges and the Medicaid Management Information System.”
These warnings, tragically, went largely unheeded.
The cyberattack, announced last week, has left state officials scrambling to implement backup plans for those dependent on state assistance. The breach has potentially exposed sensitive personal information, causing significant distress and uncertainty for countless Rhode Islanders. The state has since shut down the RIBridges website and established a call center (833-918-6603) and website (cyberalert.ri.gov) to assist affected individuals.
Cybersecurity Failures and Lack of Preparedness
Ken Block, former Republican and Moderate Party gubernatorial candidate, president of Simpatico Software Systems, and founder of Watchdog RI, sharply criticized the state’s response, stating,
“The question is: Is the governor’s office and legislative leadership reading these reports and taking action where action needs to be taken? It doesn’t look like it. They are closing the barn door after the horses have been stolen.”
While the state Department of Administration spokesperson, Karen Greco, claimed that “corrective actions plans based on the findings in the auditor general report” were implemented, these actions clearly proved insufficient.
Greco detailed some of the state’s cybersecurity investments, including a “Governance, Risk, and Compliance tool,” a security strategy assuming all access requests are cyberattacks, a “cloud first” strategy, and staff training. However, she admitted that the state is still awaiting an analysis from Deloitte, the RIBridges vendor, to determine the root cause of the breach. Until this analysis is complete, she stated, “Any comment on preparation would be speculation.”
Further highlighting the state’s inadequate preparedness, the audit noted, “The state needs to further enhance its coordination and training to improve its incident response capabilities in the event of a data breach. The lack of consistent statewide incident response training increases the risk that the state will not properly respond, in a coordinated manner, to an IT security incident. “You really don’t want to read that we are deficient in incident response in the middle of a data breach.”
The audit also pointed out the insufficient investment in technology and personnel to support the increasingly complex treasury operations, stating
“The complexity of treasury operations has increased substantially over the years without significant modifications to the state’s investment in technology and personnel to support those efforts and to ensure internal control best practices are maintained.”
Despite the 2015 Identity Theft Protection Act and its 2023 update, which mandates protected access, controlled, and encrypted private information, Senator Louis P. DiPalma, Chairman of the Senate Finance Committee, expressed concern, stating,
“One question I asked: Was this data access controlled and encrypted as required by the new law? I have not yet received an answer.”
He anticipates the breach could affect over 500,000 people, potentially representing one of the largest state breaches percentage-wise in the country. He hopes the governor will allocate funds to improve Rhode Island’s cybersecurity posture in the upcoming budget.
A contract worth $419,120 over two years was awarded to Inspira Enterprise Inc. in October 2024 for a security and privacy test on the RIBridges system, two months before the cyberattack was discovered. This further underscores the lack of proactive measures taken despite prior warnings.
The RIBridges cyberattack serves as a stark reminder of the critical need for robust cybersecurity measures and proactive risk management in government systems. The lack of adequate response to previous warnings has resulted in a significant data breach with potentially far-reaching consequences for Rhode Island residents.
