Rhode Island Governor Dan McKee has confirmed that cybercriminals are attempting to leak stolen data after gaining unauthorized access to the state's central platform for operating numerous health and human services divisions, including social benefits. 

WHY IT MATTERS

McKee’s office said Monday that, according to its consultant Deloitte, the hackers who broke into the IT system for the state's health and benefits programs earlier this month have released a set of files on the dark web, WPRI reported.

"Today the cyber criminals did in fact publish at least some of the Rhode Island Bridge's information and data files onto the dark web," McKee said during a press conference.

In a previous update on its website, the state said that Deloitte confirmed "a high probability that a cybercriminal has obtained files with personally identifiable information."

The consultant is working with the state to generate the list of impacted individuals. 

"Once we have that information, we will send letters to those individuals with instructions on how to access free credit monitoring," the alert said.

HealthSource RI, the state’s marketplace for affordable health coverage, is part of the Ocean State's Department of Administration RIBridges system. It is temporarily unavailable due to the cyberattack announced on December 13.

According to the state website, the system that Deloitte manages is the main operations system for the state's management, including legal services, accounts and control, management and budget, purchasing, auditing, human resources, certain personnel services, capital asset management and maintenance, IT, energy resources and many internal services.

The state took the system offline after Deloitte discovered the network intrusion. 

RIBridges also manages the state's Medicaid, SNAP and other social programs, many of which have switched to manual processes. 

Due to the outage, HealthSource RI has extended open enrollment from Tuesday's deadline until February 28 through a call center. Patients with plans that would not automatically renew for 2025 will now be extended until the system is restored and they can select new plans, according to the website alert.

Government officials said they have identified about 650,000 people whose personal information – including Social Security and bank account numbers – was stolen from the system.

Databreaches.net reported Monday that it had made contact with Brain Cipher, and the ransomware group confirmed that they were responsible for the RIBridges attack. It inspected the archive file with personal information provided by the threat actors. 

Reaching the threat actors’ dark web leak site is challenging, however, according to the story. 

Brain Cipher told the publication that they have been under a denial-of-service attack to try and stop them from leaking the data. 

THE LARGER TREND

State records systems that hold protected health information are targeted in cyberattacks and criminals have been known to publish protected data.

In July, RansomHub began leaking Florida Department of Health employee records, prescription data, screening information, Social Security numbers and more on a Tor-based leak site. The group claimed to have stolen 100 gigabytes of data from the Sunshine State's public health network.

Healthcare cybersecurity challenges outpace every other sector, according to an analysis of 2023 cyberattacks by SecurityScorecard, a supply chain cybersecurity firm. 

The sector also leads in third-party data breaches, which snare providers, health plans, healthcare organizations and public health networks. Two years ago, a ransomware attack on a federal vendor, Healthcare Management Solutions, had the potential to impact up to 254,000 Medicare beneficiaries.

While the Centers for Medicare and Medicaid Services said that the vendor acted in "violation of its obligations," the federal agency is also under investigation by the U.S. Health and Human Services Office of Civil Rights for a cyber breach that ultimately affected 3,112,815 individuals, reported in September.

The recent CMS data breach was one in a string related to a vulnerability in the file transfer tool MOVEit.

ON THE RECORD

"Our top priority is exactly what we talked about – informing people, getting the information out, having people protect their identity and also get those benefits out," McKee said in response to a question about the state's continued relationship with Deloitte at Monday's televised press conference. "The issues that have to do with IT, we will take those issues one day at a time."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.