PROVIDENCE – Fitch Ratings says it does not foresee any immediate effect on Rhode Island’s “AA” bond rating and positive outlook in the wake of the cyberattack on the RIBridges system that hosts the state’s social services and health insurance exchange.
Fitch said in a statement Monday that the incident highlights the increased vulnerability of municipalities to cyberthreats, but it assesses the likelihood of this incident affecting Rhode Island’s credit rating as low, assuming the breach is not more extensive than disclosed and operations are restored soon with minimal long-term fiscal effects.
Rhode Island FC To Offer Local Businesses Top-Notch Networking Opportunities in 2025
The perfect atmosphere for entertaining clients or hosting employees, The Stadium at Tidewater Landing will…
Learn MoreThe agency, which is one of several that sets risk ratings that can affect borrowing costs for entities such as municipalities, noted that RIBridges is operated by Deloitte Consulting LLP.
Fitch cautioned that it continues to monitor the situation. Among the factors that could hurt the state’s credit rating included significantly increased costs for staffing, system recovery and potential litigation, with a class-action lawsuit already filed against Deloitte. The extent of the state’s direct responsibility for additional costs is unclear, Fitch said.
The state’s long-term issuer default rating and general obligation bond rating of AA is two notches below Fitch’s highest-quality rating of AAA.
In early December 2024, a cybercriminal organization claimed to have breached RIBridges, which led Deloitte and the state to take the portal offline as they worked to resolve the issue. Gov. Daniel J. McKee announced the breach on Dec. 13.
Developed in 2016, RIBridges supports applications and eligibility determinations for numerous state social service programs, including Medicaid and child care, as well as the state’s health insurance exchange. Officials state that the data of about 650,000 people might be affected by the breach, with 320,000 currently enrolled in Medicaid and the Children’s Health Insurance Program.
Upon discovering malicious code inserted into the system, Deloitte and the state shut down RIBridges and advised program participants to safeguard their data. Deloitte reported potential exposure of RIBridges users’ personally identifiable information.
The cybercriminal organization has since released at least some RIBridges files to a site on the dark web. The Deloitte information technology teams are working to analyze the released files. The breach’s full scope and cause remain unknown and may take several months to determine, Fitch said. The R.I. Department of Human Services transitioned to paper applications and reassigned staff to phone centers and offices.
Fitch said states and local governments, which often handle sensitive information, are high-risk targets for cybercrime. Many states, including 25 with Deloitte contracts for Medicaid eligibility systems, rely on external vendors for technological services, making cyber protection clauses in contracts essential. Deloitte asserts that RIBridges is the only one of its clients’ systems known at this time to be affected by the attack, Fitch said.
The rating agency said Rhode Island has a $292 million general fund surplus and dedicated statutory reserves totaling $344 million as of June 30, 2024. The R.I. Office of Management and Budget has projected a $330 million deficit for its coming fiscal year.