Deloitte Consulting LLP and Rhode Island Department of Administration: State announces $7 million settlement with contractor Deloitte over RIBridges cyber breach • Rhode Island Current

Rhode Island Secures $12 Million Settlement from Deloitte Over 2024 RIBridges Data Breach

The Rhode Island Department of Administration has finalized a $7 million settlement with Deloitte Consulting LLP, bringing the state’s total recovery from the 2024 RIBridges data breach to $12 million. The agreement, signed by Deloitte Principal Lindsay Musser Hough on April 15 and Acting Department Director Thomas Verdi on April 16, requires payment within 30 days unless an extended deadline is granted.

Deloitte, the vendor behind RIBridges a state platform handling Medicaid, food stamps, and health insurance applications had already provided $6 million in additional system enhancements and support at no cost to Rhode Island. The breach, discovered in December 2024, stemmed from a cyberattack by the group Brain Cipher, which infiltrated the system’s backend in July 2024 using stolen credentials from a Deloitte representative. The threat actors remained undetected for months, exfiltrating data from 28 of RIBridges’ 338 backend environments before triggering alerts in late November.

Governor Dan McKee first publicly disclosed the breach on December 13, 2024, after Deloitte confirmed the incident following a dark web post by Brain Cipher. The attack compromised the personal information of an estimated 644,401 individuals, including applicants and beneficiaries of state benefits. A third-party forensic report by CrowdStrike later revealed that the last malicious activity occurred on Thanksgiving Day 2024, though Deloitte did not notify the state until December 5.

In February 2025, the state received an initial $5 million from Deloitte to cover breach-related expenses. The latest settlement resolves all legal disputes between the parties, with both agreeing to refrain from further litigation, public disparagement, or encouraging third-party lawsuits. The agreement also includes a non-disparagement clause, requiring coordinated public statements.

Separately, Deloitte settled a class-action lawsuit in October 2025, which included Rhode Island as a "released party," shielding the state from additional claims. Over 47,000 class members filed claims for compensation, with most receiving around $100 and others eligible for higher reimbursements with documented losses.

While the forensic report attributed the breach to Deloitte’s failure to detect the intrusion, the settlement explicitly states that neither party admits liability. The state’s legal recourse appears exhausted, though Governor McKee previously stated that Deloitte bore responsibility for oversight lapses.

Source: https://rhodeislandcurrent.com/2026/04/24/state-announces-7-million-settlement-with-contractor-deloitte-over-ribridges-cyber-breach/

State of Rhode Island cybersecurity rating report: https://www.rankiteo.com/company/state-of-rhode-island

Deloitte cybersecurity rating report: https://www.rankiteo.com/company/deloitte

"id": "STADEL1777062830",
"linkid": "state-of-rhode-island, deloitte",
"type": "Cyber Attack",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': '644,401 individuals',
                        'industry': 'Public Sector / Social Services',
                        'location': 'Rhode Island, USA',
                        'name': 'Rhode Island Department of Administration '
                                '(RIBridges)',
                        'type': 'Government'}],
 'attack_vector': 'Stolen Credentials',
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '644,401',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information)',
                 'type_of_data_compromised': 'Personal information (Medicaid, '
                                             'food stamps, health insurance '
                                             'applicants/beneficiaries)'},
 'date_detected': '2024-11-01',
 'date_publicly_disclosed': '2024-12-13',
 'description': 'The Rhode Island Department of Administration finalized a $7 '
                'million settlement with Deloitte Consulting LLP over a 2024 '
                'data breach of the RIBridges platform, which handles '
                'Medicaid, food stamps, and health insurance applications. The '
                'breach was caused by the threat actor group Brain Cipher, '
                'which used stolen credentials to infiltrate the system and '
                'exfiltrate data from 28 of 338 backend environments. The '
                'attack compromised the personal information of 644,401 '
                'individuals.',
 'impact': {'brand_reputation_impact': 'Negative impact on Deloitte and Rhode '
                                       'Island state government',
            'data_compromised': 'Personal information of 644,401 individuals',
            'financial_loss': '$12 million (settlement and enhancements)',
            'identity_theft_risk': 'High (personal information exposed)',
            'legal_liabilities': 'Class-action lawsuit settlements and '
                                 'regulatory fines',
            'operational_impact': 'Delayed notifications and breach response',
            'systems_affected': '28 of 338 backend environments of RIBridges'},
 'initial_access_broker': {'entry_point': 'Stolen credentials from a Deloitte '
                                          'representative',
                           'high_value_targets': '28 of 338 backend '
                                                 'environments',
                           'reconnaissance_period': 'July 2024 to November '
                                                    '2024'},
 'investigation_status': 'Resolved (settlement finalized)',
 'lessons_learned': 'Need for improved detection of intrusions, timely breach '
                    'notifications, and vendor oversight',
 'post_incident_analysis': {'corrective_actions': '$6 million in system '
                                                  'enhancements, $7 million '
                                                  'settlement, and '
                                                  'non-disparagement agreement',
                            'root_causes': 'Failure to detect intrusion, '
                                           'delayed breach notification, and '
                                           'oversight lapses by Deloitte'},
 'ransomware': {'data_exfiltration': True},
 'recommendations': 'Enhance monitoring, implement stricter access controls, '
                    'and improve incident response protocols',
 'references': [{'source': 'Rhode Island Department of Administration'},
                {'source': 'CrowdStrike Forensic Report'}],
 'regulatory_compliance': {'legal_actions': 'Class-action lawsuit settled in '
                                            'October 2025'},
 'response': {'communication_strategy': 'Coordinated public statements, '
                                        'non-disparagement clause',
              'remediation_measures': '$6 million in system enhancements and '
                                      'support provided by Deloitte',
              'third_party_assistance': 'CrowdStrike (forensic report)'},
 'stakeholder_advisories': 'Non-disparagement clause and coordinated public '
                           'statements',
 'threat_actor': 'Brain Cipher',
 'title': 'Rhode Island RIBridges Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Undetected intrusion due to oversight lapses'}