The deadline is April 30 to sign up for the services.
Governor Dan McKee said people should begin checking their mail in the coming days for the notices , which include a unique code to sign up for five years of credit monitoring and identity theft insurance. It will include identity restoration services for life.
PROVIDENCE — Letters were sent out Friday to roughly 657,000 people whose personal data was potentially compromised in the massive cyberattack on RIBridges, the state’s online benefits portal, last month. The number represents more than half of the state’s population.
State officials have acknowledged that hackers who breached the RIBridges system, which is managed by Deloitte, have released at least some of the data on the dark web. Brian Tardiff, the state’s chief digital officer, said Deloitte is assessing the data and has sent the state its initial findings, which Tardiff said the state is verifying with a third-party company. He declined to immediately release any information from the reports.
Get Rhode Map A weekday briefing from veteran Rhode Island reporters, focused on the things that matter most in the Ocean State. Enter Email Sign Up
The stolen data is expected to include Social Security numbers, names, addresses, dates of birth and health information for hundreds of thousands of people. The RIBridges system is where people sign up for public benefits like Medicaid and food stamps, along with private health insurance through the HealthSource RI portal.
Advertisement
The breached data goes back years, which is why the number of people affected is so high. It also includes people who applied for benefits but did not ultimately receive them.
“Deloitte is still reviewing the contents of all the breached files,” McKee said. “It is likely that more people will be affected in the future.” If that happens, more letters will go out.
Those who are affected are encouraged to freeze their credit, change passwords and take other steps to protect their identities such as turning on two-factor authentication on bank accounts.
More than 709,000 letters are going out, more than the total number of people affected, since some of the cyberattack victims are minors and all of their guardians will be notified.
The RIBridges system is still down, meaning customers cannot log into their accounts or sign up for benefits online. But they can sign up for benefits in person, through the mail or over the phone. Tardiff said the state is aiming to restore the system in mid-January.
Advertisement
Deloitte will be picking up the tab for the five years of credit monitoring and lifelong identity restoration, officials said. Asked how much it will cost to provide that for 657,000 people, McKee said: “a lot.” Jonathan Womer, the state director of administration, said Deloitte has agreed to pay the full cost.
Asked how the state will confirm they have the correct addresses, since people who previously had benefits may have moved, Womer said Experian will seek to contact customers whose letters are returned.
McKee asked that people not call right away if they don’t get a letter in the next few days. “We ask you to be patient and give the mail another few days to arrive before immediately calling the hotline,” McKee said.
The hotline number for the cyberattack is 833-918-6603 and the reference number is B137035.
Deloitte did not immediately respond to a request for comment on what their assessment of the data breach has found.
Attorney General Peter Neronha has suggested he might take legal action against Deloitte over the breach. The company has been asked to preserve records and documents.
Steph Machado can be reached at steph.machado@globe.com. Follow her @StephMachado.
Notices sent to 657,000 in R.I. benefits system cyberattack
