Over nine months after state officials announced that cybercriminals illegally accessed hundreds of thousands of Rhode Islanders’ personal information via a government-run database, the online platform’s vendor, Deloitte, has agreed to settle multiple class-action lawsuits.
According to court documents filed in federal court on Aug. 25, the settlement agreement addressed six interrelated legal complaints filed together as Pannozzi v. Deloitte Consulting LLP.
Court filings do not outline any settlement details, though impacted individuals are expected to be eligible for compensation. A motion for preliminary approval is expected to be filed before Oct. 9.
Led by cybercriminal group Brain Cipher, the cyberattack targeted RIBridges, the state’s online public benefits system, The Herald previously reported. An external investigation later found that the cyberattack occurred between July and November of last year.
About 650,000 Rhode Islanders were affected, with breaches to personal information like names, bank accounts and social security numbers, Gov. Dan McKee’s office reported in December. According to McKee, Brain Cipher uploaded some of the breached information onto the dark web.
Rhode Islanders enrolled in public benefit programs like Medicaid and the Supplemental Nutrition Assistance Program may have been impacted by the breach. Current and former clients of HealthSource RI, the state’s health insurance marketplace, may have also been affected.
In the weeks following the announcement of the breach, Deloitte was hit with multiple class-action lawsuits. A complaint filed earlier this year by Ronald Pannozzi and other R.I. locals affected by the breach alleged that Deloitte failed to “properly secure, safeguard, encrypt and/or timely and adequately destroy” personal data, which incurred financial losses for RIBridges users.
Neither Deloitte nor McKee’s office responded to The Herald’s requests for comment.
Deloitte is also undergoing civil investigation by R.I. Attorney General Peter Neronha P’19 P’22, and in February, the company paid the state $5 million to cover expenses resulting from the breach.
“Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support,” McKee said in a press statement at the time.
Deloitte’s contract with the Ocean State is set to expire at the end of June 2026. Rhode Island is currently exploring other vendors — such as the Northland Highland Holding Company — to modernize the existing system.
Megan is a metro editor covering health and environment. Born and raised in Hong Kong, she spends her free time drinking coffee and wishing she was Meg Ryan in a Nora Ephron movie.
