I originally worked with state benefits systems during my years at Printrak, and have performed analysis of such systems at Bredemarket. These systems store sensitive personal data of many Americans, including myself. And they are therefore a target for hackers.
The hack at RIBridges
A huge benefits system was hacked in Rhode Island, according to the State.
“On December 5, the State was informed by its vendor, Deloitte, that the RIBridges data system was the target of a potential cyberattack….”
That was just the beginning.
“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.”
RIBridges is…um…a bridge from Rhode Island residents to various Federally sponsored but State administered benefits programs, including:
- Medicaid,
- Supplemental Nutrition Assistance Program (SNAP),
- Temporary Assistance for Needy Families (TANF),
- Child Care Assistance Program (CCAP),
- Health coverage purchased through HealthSource RI
- Rhode Island Works (RIW),
- Long-Term Services and Supports (LTSS), and
- General Public Assistance (GPA) Program
State benefits systems such as RIBridges are complex and often hosted on old infrastructure that requires modernization. (“Modernization” is a great buzzword to use to toss around when describing aging state computer systems, as I know from my years working with driver’s license and biometric identification systems.) The older and more complex the system, the easier to hack.
The history of RIBridges
This complexity is certainly true of Deloitte’s hacked RIBridges system.
“Gov. Daniel McKee…said the state will pay the firm $99 million over the next three years to manage and build out the RIBridges computer system….The firm has been developing the software, which handles the state’s Medicaid, SNAP and other welfare programs, since 2016, though delays and errors during (previous Governor) Raimondo’s administration caused the state to overspend by at least $150 million as of 2019, the last time the state renewed Deloitte’s contract.”
Why is Deloitte’s performance less than ideal? Anthony Kimerv of Biometric Update explains the issues facing RIBridges.
“Federal agencies, including the federal Centers for Medicare and Medicaid Services, had warned Rhode Island before the system’s launch that it was not ready for deployment….RIBridges proceeded despite clear operational risks, leading to immediate and widespread problems. The launch resulted in significant disruptions to benefits distribution, with thousands of residents experiencing delays in receiving critical assistance. Backlogs soared, with more than 20,000 cases piling up due to system malfunctions.”
After much time and effort the backlogs decreased, but the treasure trove of personally identifiable information (PII) remained a target.
“As a central repository for sensitive personal data, including financial information and health records, RIBridges became a potential target for cyberattacks. Security audits revealed vulnerabilities in the system’s defenses….Cybercriminals exploited weaknesses in RIBridges to access sensitive data. The attackers bypassed existing security measures, inserted malicious code, and obtained unauthorized access. The breach exposed flaws in the system’s technical defenses and highlighted issues with its oversight and vendor management.”
The consequences for RIBridges applicants
So now the system is down, applicants are using paper forms, and a cyber criminal is requesting a payout.
(Image by Google Gemini)
Bredemarket 