PROVIDENCE – For the second year in a row, an infrastructure breakdown has made it a long December for Rhode Islanders.
Oddly enough, it involves another “bridge,” of sorts.
The state’s RIBridges public benefits computer system, built and run by Deloitte Consulting LLP,
sustained a significant cyber breach on Dec. 4. Earlier this week officials informed the public that Brain Cipher, the ransomware gang taking responsibility for the breach, stole the data of up to hundreds of thousands of residents that dates back to 2016.
This system failure comes close to a year after residents learned that the Washington Bridge’s westbound side, connecting Interstate 195 from Rhode Island’s East Bay to downtown, was forced to close, and will now be torn down and, at some point, rebuilt due to major deterioration.
The personal data taken by Brain Cipher may include Social Security and bank account numbers, along with information from health insurance received through HealthSourceRI. Since then,
a federal class-action lawsuit was filed by residents against Deloitte demanding accountability for the breach.
But should the state also shoulder blame if residents’ data gets stolen?
Multiple state officials, legal scholars and technology specialists have told Providence Business News that it’s too early to tell if the state legally is just as much at fault for the breach as Deloitte. But a national cybersecurity executive told PBN that the state “absolutely” bears some responsibility for what happened.
Kaustubh Medhe, vice president of research and cyber threat intelligence for California-based Cyble Inc., told PBN that even if the state outsources some operations to a third-party agency – such as having Deloitte operate RIBridges – that does not absolve the state of responsibility of securing the information the third party is processing. There also needs to be “a lot more due diligence” on the state side to make sure that the vendor has the right amount of security controls and processes in place to detect and prevent these kinds of incidents from happening, Medhe said.
[caption id="attachment_483979" align="alignleft" width="333"]

KAUSTUBH MEDHE, Cyble Inc. vice president of research and cyber threat intelligence, says even if the state outsources some operations to a third-party agency, it does not absolve the state of responsibility of securing the information the third party is processing. / COURTESY KAUSTUBH MEDHE[/caption]
“Even though the data processing or management of the systems would be handled by the third party, they are just the data processor,” Medhe said. “The agency who is responsible for the data and actual services continues to own the responsibility and accountability for securing that information.”
Cyberattacks against government entities in the U.S., such as the breach of RIBridges, are becoming quite commonplace. According to Medhe’s data, 68 state and municipal departments across the country, including RIBridges, have been attacked since the beginning of January.
In Hoboken, N.J., on the same day as the RIBridges attack, Russia-linked ransomware group ThreeAM reportedly stole thousands of files containing Social Security numbers, driver’s licenses, payroll, health and other personal information dating back to 1987 from every city department. Back in April, Lockbit, a prominent ransomware gang, reportedly claimed it attacked the Washington, D.C., Department of Insurance, Securities and Banking and stole 800 gigabytes of data through the third-party vendor the department was working with.
Not included in Medhe’s data is
the breach against the Providence Public School District, currently under state intervention, that occurred three months ago.
“[Cyberattacks against government] is nothing new; it’s been happening all year long,” said Shakour Abuzneid, Roger Williams University professor and director of cybersecurity and networking. “This battle will continue.”
Cyber breaches can also be expensive. Medhe says depending on the breach and where the responsibility lies, a typical midsized organization may incur up to $1.5 million in post-breach expenses. Expenses may include elements related to call centers, credit monitoring, forensic investigations and legal.
Medhe also says agencies relying too much on third parties handling cybersecurity can cause some complacency to set in because “you assume or take things for granted.”
What the cyber breach shows, Medhe says, is agencies, including the state, need to look at third-party risk management very seriously and perform some level of due diligence on an ongoing basis, even with their existing vendors who are servicing them.
Envision Technology Advisors LLC Chief Operating Officer Jason Albuquerque agrees. He says your security is only as good as your weakest link. In many instances, your third party could be your weakest link, Albuquerque says.
[caption id="attachment_483981" align="alignright" width="407"]

JASON ALBUQUERQUE, chief operating officer for Envision Technology Advisors LLC, says your security is only as good as your weakest link and, in many instances, could be the third party providing cybersecurity services. / PBN FILE PHOTO / TRACY JENKINS[/caption]
“Being able to assess them, having them show proof of compliance of cybersecurity program, really have them show they’re being secure by design and putting all of their effort into cybersecurity of that particular application or system they’re providing,” said Albuquerque, who writes a monthly column for PBN
on cyberthreats facing businesses.
On the other hand, both House Speaker K. Joseph Shekarchi, D-Warwick, and Senate President Dominick J. Ruggerio, D-North Providence, tell PBN it is premature to know if the state should also be held responsible for the breach on RIBridges. In a joint statement, Shekarchi and Ruggerio said the state’s top priority is making certain that the benefits of so many Rhode Islanders are “not interrupted and that those impacted are provided the information to protect their identity so they do not become victims.
“We have been in regular communication with state and federal leaders and we will continue the ongoing discussions and monitor the latest developments,” they said.
Abuzneid and Albuquerque, along with Brian Lamoureaux, attorney for Johnston-based firm Pannone Lopes Devereaux & O’Gara LLC; and Rhode Island College Institute for Cybersecurity & Emerging Technologies Chairman James R. Langevin all shared similar sentiments with Shekarchi and Ruggerio in that it remains to be seen if the state is also responsible in part for the breach occurring.
“As things progress and information on the investigation is made public, the more we will be able to identify the root cause,” Albuquerque said. “Having helped so many organizations through cyber incident response in my career I can say that so far, the state has been doing a really good job communicating the situation, while in the middle of a cyber incident that affects our citizens, that stems from a third party and while in the middle of an active investigation involving private, state and federal agencies. That can be very chaotic and challenging.”
Langevin said that Deloitte as the third-party vendor “has the bulk of the responsibility,” pending the outcome of the investigation into the cyberattack.
Gov. Daniel J, McKee’s office did not immediately respond to PBN's request for comment.
Local attorney Peter N. Wasylyk, representing the plaintiffs in a class-action lawsuit against Deloitte, declined to say why he didn’t include the state as a defendant, citing ongoing research and analysis of the case. He did say his clients are looking for both monetary and nonmonetary compensation. Nonmonetary compensation he says would be extended years of credit monitoring.
Experts who spoke with PBN do feel the state should do more to address cybersecurity. Langevin says he would love to have the state at least partner with the RIC cyber institute’s security operations center, which will offer 24/7 low-cost cybersecurity services to municipalities and nonprofits, school districts.
R.I. Auditor General David A. Gergantino in his April report to the General Assembly said the state, despite recent upgrades “does not currently have sufficient resources” dedicated for the size and complexity of its operations, noting the state needs to create a comprehensive plan to address it. Risk mitigation, he said, is “not progressing quickly enough.”
Medhe said, “It’s all about implementing tighter cybersecurity governance, implementing cybersecurity risk management practices and processes and holding the agencies and vendors accountable.”
James Bessette is the PBN special projects editor and also covers the nonprofit and education sectors. You may reach him at Bessette@PBN.com. You may also follow him on X at @James_Bessette.