Rhode Island publishes RIBridges hack investigation details

CrowdStrike analysis reveals breach timeline, access details

On July 2, 2024, a cyberthreat actor entered the RIBridges system through the unauthorized use of Deloitte credentials.

"At that time, the Threat Actor successfully authenticated to the RIBridges non-production virtual private network (VPN) from an external IP address using a non-state of Rhode Island non-privileged account," the CrowdStrike report stated.

"CrowdStrike was unable to determine how the Threat Actor gained access to the credentials used to authenticate to the VPN or if multifactor authentication (MFA) was bypassed."

The next day, the cyberthreat actor started a remote desktop session to an application server from a VPN pool IP address and proceeded to initiate remote sessions across six other RIBridges systems.

They continued to perform reconnaissance, escalate privileges, conduct credential harvesting and use a commercially available remote monitoring tool to maintain access to the RIBridges environment throughout July 2024.

From July to November, the cyberthreat actor repeatedly browsed files and interacted with folders throughout the impacted systems, later transferring data to an external cloud storage provider.

"CrowdStrike's review did not reveal the presence of any artifacts related to ransomware execution in the RIBridges environment nor the presence of any Brain Cipher ransomware notes," CrowdStrike noted.

"Additionally, discussions with RI and Deloitte did not reveal either entity discovering the presence of ransomware or system availability issues commonly associated with ransomware events."

The cyberthreat actor most recently accessed the RIBridges environment on Nov. 28, 2024, and investigators have not detected any associated activity since then. There was no evidence that the cyberthreat actor was able to move laterally from the RIBridges environment to other state-run environments.

The investigation determined that approximately 114,000 of the individuals who received breach notification letters in January 2025 were, in fact, not impacted by the breach. However, investigators also uncovered an additional 107,000 individuals who were impacted by the breach but were not notified in January. The total breach tally sits at 644,401 individuals.

Recovery, notification efforts underway

The state of Rhode Island and Deloitte have been working to notify impacted individuals and recover from the RIBridges hack since they first identified the incident in December 2024.

"This series of events and the risks that were placed on the public are unacceptable, and as I said earlier, Deloitte missed some issues that we certainly hold them responsible for," McKee said at the press conference.

In February 2025, Deloitte agreed to provide Rhode Island with $5 million to cover expenses related to the breach. The funds went toward costs associated with the 2,000 HealthSource RI customers who were enrolled directly in coverage in January and February, who had to enroll in alternative plans.

In addition to the $5 million, Deloitte covered the costs of credit monitoring and identity theft protection services for affected consumers.

"The State is in the process of pursuing options to modernize the current RIBridges system managed by Deloitte, with the goal of transitioning to a new system," a press release from McKee's office stated.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.