Rhode Island Governor Dan McKee announced the state has finalized a $12 million settlement with Deloitte Consulting LLP over the December 2024 ransomware attack on RIBridges, the state benefits administration platform serving more than 650,000 residents. The breach, attributed by Deloitte to the Brain Cipher ransomware gang, knocked the system offline and exposed personal data tied to Medicaid, SNAP, TANF, and HealthSource RI enrollees.

What Happened

In December 2024, attackers compromised RIBridges, the integrated eligibility system that gates access to nearly every major Rhode Island public assistance program. The portal and mobile app were taken offline, locking residents out of their accounts and forcing the state to manually enroll roughly 2,000 HealthSource RI customers directly into coverage for January and February 2025. Deloitte, the services provider operating the platform, paid Rhode Island an initial $5 million in February 2025 and has now agreed to an additional $7 million, finalizing direct recovery at $12 million. Deloitte separately settled a federal class action for $6.3 million, approved in January 2026, while continuing to deny wrongdoing.

What Was Taken

Private information belonging to a portion of the 650,000+ RIBridges users was exfiltrated, and the state has previously confirmed that some stolen data was posted to the dark web. RIBridges holds eligibility data for Medicaid, the Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), the Child Care Assistance Program, HealthSource RI health coverage, Rhode Island Works, Long-Term Services and Supports, and general public assistance, meaning the exposed records likely include names, Social Security numbers, dates of birth, household financial details, and benefits eligibility information. Deloitte agreed to fund the data breach call center, credit monitoring, and identity protection for affected individuals.

Why It Matters

This incident is one of the largest publicly disclosed financial recoveries to date by a U.S. state from an outsourced systems integrator following a ransomware breach, and it sets a meaningful precedent for state procurement and vendor accountability. Brain Cipher, a relatively young but aggressive ransomware-as-a-service operation, has now demonstrated reach into U.S. state-government supply chains by way of trusted contractors. With a single integrator running benefits platforms across multiple states, defenders should treat the RIBridges compromise as a portfolio-level warning rather than an isolated event.

The Attack Technique

Deloitte attributed the intrusion to the Brain Cipher ransomware gang, an international RaaS group that emerged in mid-2024 and has been linked to high-profile attacks on government and critical-infrastructure targets. Public disclosures from the state and Deloitte have not detailed the initial access vector, but the operational pattern, environment access by a third-party services provider followed by data theft and encryption, is consistent with Brain Cipher tradecraft observed elsewhere: credential abuse against vendor-managed infrastructure, lateral movement into integrated case-management systems, and double-extortion leak postings when ransom demands stall. The presence of stolen RIBridges records on dark web leak sites confirms the double-extortion phase ran to completion.

What Organizations Should Do

Sources: RI Settles With Deloitte for $12M Over 2024 Ransomware Attack on Benefits System