Rhode Island settles with Deloitte for $12 million over breach

Brain Cipher used a stolen Deloitte employee credential to access Rhode Island's public benefits system for five months while 397 firewall alerts went unnoticed, exposing the data of 644,000 residents.

What happened

Rhode Island Governor Dan McKee has announced a final settlement agreement with Deloitte Consulting LLP over the December 2024 ransomware attack on RIBridges, the state's public benefits administration platform, bringing the state's total direct financial recovery to $12 million. According to the Rhode Island Governor's press release, Deloitte has agreed to pay an additional $7 million under the final agreement, following a $5 million payment made in early 2025 to cover immediate incident costs. Deloitte has also provided $6 million worth of system enhancements, operational support, and business continuity services outside its existing contract at no additional charge to the state. The settlement brings the state's legal proceedings against Deloitte to a close. Separately, Deloitte settled a $6.3 million class action lawsuit from 735,501 affected individuals, with a federal court approving that settlement in January 2026. Deloitte has denied wrongdoing throughout all proceedings.

Going deeper

The Brain Cipher ransomware group used stolen credentials belonging to a Deloitte employee to access the RIBridges VPN and entered the system as early as July 2, 2024. According to Rhode Island Current, a CrowdStrike forensic investigation found that Brain Cipher accessed 28 of RIBridges' 338 backend environments over five months, using commercially available RMM tools and a reverse proxy to maintain persistent access. Between November 11 and November 28, 2024, the RIBridges firewall management portal generated 397 alerts from 15 systems about large data transfers to an external cloud storage provider. None of those alerts prompted detection. It was not the firewall alerts but a Brain Cipher post on its dark web leak site on December 4, 2024, claiming data theft that prompted Deloitte to investigate. The breach was confirmed on December 13, 2024. The system was shut down and remained offline for approximately one month. The data of 644,401 individuals was ultimately confirmed as compromised, including names, addresses, Social Security numbers, dates of birth, and health and banking information. Brain Cipher subsequently leaked the stolen data when no ransom was paid.

What was said

Governor McKee stated in the official press release, "This agreement reflects a deliberate effort to protect Rhode Island taxpayers while ensuring the State has the resources needed to move forward." Earlier, McKee had been more direct about Deloitte's failures, stating, "Deloitte missed some issues that we certainly hold them responsible for. That this would be undetected for that period of time is something that is just unacceptable." Deloitte signed the settlement agreement on April 15, 2026, with Principal Lindsay Musser Hough signing on behalf of the firm.

In the know

The RIBridges breach shows a specific and recurring failure pattern in managed service arrangements: the vendor responsible for monitoring a system failed to act on its own monitoring alerts while the attack was in progress. According to Rhode Island Current, Deloitte's contract with Rhode Island is set to expire at the end of June 2026, and the state is in the process of selecting a new vendor to modernize the RIBridges system, a process expected to take 18 to 24 months. Brain Cipher claimed the attack required cracking only an 8-character password to access a domain controller, a process the group said took five minutes.

The big picture

The RIBridges case establishes a financial accountability framework for managed service vendors whose security failures enable ransomware attacks on government systems. A combined $18.3 million in state settlement payments and class action compensation, plus $6 million in unreimbursed services, represents a meaningful consequence for a vendor whose monitoring failures allowed a five-month intrusion to go undetected. For healthcare and government organizations that outsource system management to third parties, the case draws a direct line between 397 ignored firewall alerts and a $12 million settlement. The same forensic pattern that Paubox documented in its Top 3 Healthcare Email Attacks report, where vendor and business associate security failures account for 28% of healthcare breaches, applies equally to government benefit systems that hold Medicaid, SNAP, and health insurance data for populations that cannot easily absorb the consequences of identity theft.

FAQs

Why did 397 firewall alerts not trigger detection of the breach?

The alerts were generated by the firewall management portal but were not acted upon by the monitoring team. The forensic report does not indicate the alerts were suppressed or hidden, only that they went unaddressed during the period of active data exfiltration. Alert fatigue and inadequate escalation procedures in managed service environments are documented contributors to this category of detection failure.

What makes a public benefits system a particularly high-value ransomware target?

Public benefits platforms hold concentrated data on low-income populations who are often less likely to have existing credit monitoring and less able to absorb the financial consequences of identity theft. The data combines Social Security numbers, health information, banking details, and household composition data in a single system, making the combined record more valuable than any individual element alone.

What did the CrowdStrike investigation find about how the breach began?

Brain Cipher used stolen Deloitte employee VPN credentials to gain initial access. The forensic investigation could not determine how those credentials were obtained or whether multi-factor authentication was in place or bypassed. The inability to answer those questions represents a significant gap in the forensic record, given that credential theft was the confirmed entry point.

How does the Deloitte settlement affect future government vendor contracts?

The $12 million state settlement plus $6.3 million class action resolution creates a documented financial consequence for vendor-side security failures in a government-managed service contract. Future procurement processes for similar systems are likely to include more prescriptive security monitoring requirements and clearer contractual liability frameworks in the event of a breach.

What happened to the affected individuals' data after Brain Cipher leaked it?

Brain Cipher published at least some of the stolen data on its dark web leak site when the ransom was not paid. Affected individuals were offered five years of complimentary credit monitoring through Experian. The state has noted it continues to monitor the dark web for evidence of data misuse.