Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid.

Governor Dan McKee, addressing the media, called the attack “alarming” and urged residents to take immediate precautions to protect their information. Compromised data includes Social Security numbers, banking details, addresses and dates of birth. “This breach is a stark reminder of the vulnerabilities in government IT systems,” McKee said. “We are working with Deloitte and law enforcement to contain the damage and restore public trust.”

Timeline of the attack

The cyberattack began on December 5, when Deloitte, the developer and maintainer of RIBridges, alerted state officials to suspicious activity. Initially, it was unclear whether sensitive data had been accessed. Over the following days, Deloitte implemented additional security measures while investigating the breach.

On December 10, hackers provided a screenshot of file folders as proof of their access, prompting Deloitte to confirm that the RIBridges system had been compromised. Further analysis revealed a high probability that the stolen files contained personally identifiable information (PII). By December 13, Deloitte identified malicious code within the system, leading the state to shut down RIBridges to mitigate further damage and begin remediation.

How the attackers gained access

While the exact infiltration method remains under investigation, early findings suggest that the attackers exploited vulnerabilities in the system’s architecture, likely through phishing emails targeting administrative accounts or unpatched software weaknesses. The malware deployed by the cyber criminals enabled unauthorized access and allowed the attackers to exfiltrate data unnoticed for several days.

This breach has highlighted persistent security challenges in government IT systems, which often struggle to keep pace with evolving cyber threats. RIBridges, developed in 2016 under the Unified Health Infrastructure Project (UHIP), has faced years of technical and operational issues, including public criticism for its vulnerabilities.

Impact on residents and state operations

The breach has far-reaching implications for Rhode Island’s residents and government services. Programs impacted include Medicaid, SNAP, Temporary Assistance for Needy Families (TANF) and health insurance purchased through HealthSource RI. The RIBridges system’s offline status has forced the state to resort to manual processing for December benefits and January payments, creating delays and disruptions for thousands of families.

State officials have contracted Experian to provide free credit monitoring to affected residents and set up a dedicated call center to offer guidance. McKee also urged residents to take proactive steps, including freezing their credit, updating passwords and enabling multi-factor authentication.

Comparisons to other state-level ransomware attacks

Rhode Island is not the first state to be targeted by a ransomware attack on its central systems. In 2019, Texas faced a coordinated ransomware assault that impacted 22 local entities, including state-run agencies, though its centralized IT infrastructure mitigated the spread. Similarly, Colorado’s Department of Transportation suffered a ransomware attack in 2018, which disrupted operations and required weeks to fully resolve.

These incidents underscore the growing threat of ransomware to state governments. Unlike attacks on local municipalities, state-level breaches can potentially disrupt critical systems serving millions of residents, amplifying the stakes for government cybersecurity teams.

What comes next?

The FBI and other federal agencies are assisting in the investigation, while Deloitte works to remediate the vulnerabilities and restore RIBridges. Meanwhile, negotiations between the state’s representatives and the cyber criminals are ongoing, though officials have not disclosed the ransom amount or whether they intend to pay it.

“That conversation is going on directly with Deloitte and the cyber criminals. That’s how this process works, we’re learning a little bit about it,” McKee said. “But we’re being notified of the progress on it, and ultimately, it does end up with that decision with me.”

The attack has reignited calls for stronger cybersecurity measures in government IT systems. Experts recommend adopting zero trust security models, conducting regular vulnerability assessments and increasing investments in cybersecurity infrastructure to prevent future breaches.

“This breach is a wake-up call,” says Brian Tardiff, Rhode Island’s Chief Digital Officer. “We need to ensure that our systems are resilient against increasingly sophisticated cyber threats. The stakes are too high to do otherwise.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.