A $7 million handshake between the Rhode Island Department of Administration and global consultancy Deloitte over the latter’s role in the 2024 RIBridges data breach has brought the state’s total windfall to $12 million for the incident.
Deloitte is required to pay up within 30 days of the agreement’s effective date, or comply with a later deadline if it receives one from the state.
The agreement, announced by Gov. Dan McKee’s office Friday afternoon, was signed by Deloitte Consulting LLP Principal Lindsay Musser Hough on April 15. The Department of Administration’s Acting Director Thomas Verdi — who has filled in as head of the department since ex-Director Jonathan Womer was ousted by the governor in March — signed the deal a day later.
“This was a comprehensive and carefully negotiated agreement,” Verdi said in a statement Friday.
Friday’s announcement noted that Deloitte has supplied the state an additional $6 million in “system enhancements, operational support, and business continuity services in response to the incident that were outside the scope of their contract,” at no cost to the state.
Karen Greco, a Department of Administration spokesperson, said via email Friday that this “is the complete and final settlement of claims arising from or related to the RI Bridges cybersecurity incident.”
Asked how the $7 million might be appropriated, Greco said it was “premature” to determine that.
Deloitte is the creator and vendor of RIBridges, which serves as the state’s one-stop-shop for public benefits and is used by Rhode Islanders to apply for and manage Medicaid, food stamps and other benefits. It’s also used to access the state’s health insurance marketplace, HealthSource RI, and shop for health plans.
While the customer-facing frontend for RIBridges was taken offline during the incident, it was the backend used by state employees that had been hacked in the 2024 breach. A cybercriminal group known as Brain Cipher quietly harvested information from the system for months before pilfering several large bounties of data in late 2024, triggering hundreds of file transfer alerts in late November.
Deloitte and the state became aware in early December, and McKee first notified the public on Dec. 13, 2024.
An estimated 644,401 people who received or merely applied for benefits via the RIBridges system had their personal information affected by the breach, and Brain Cipher leaked at least some of the data it exfiltrated from state servers.
“This agreement reflects a deliberate effort to protect Rhode Island taxpayers while ensuring the State has the resources needed to move forward,” McKee said in a statement Friday.
In February 2025, the state received $5 million from Deloitte for expenses tied to the cyberattack.
Deloitte did not immediately respond to a request for comment Friday.
A ‘compromise of disputed claims’
Once Deloitte fulfills its new promise and pays the $7 million, and the state pays a number of invoices related to the project, both sides effectively relinquish their ability to further squabble in court over the cyberattack. Deloitte and the state cannot sue each other over the incident, they cannot encourage others to sue, and any public statements about the agreement must be choreographed in tandem.
News releases about the agreement, such as the one McKee’s office published Friday, are to be “discussed in advance by the Parties before [publication,]” the agreement notes, and an additional non-disparagement clause furthers the mandate that the parties play nice.
“Each Party agrees that… it shall refrain from making any public statements…to third parties which are disparaging or derogatory about the other Party concerning the Incident,” the agreement reads, unless otherwise required by law.
The agreement notes it’s a “compromise of disputed claims” and both parties admit no liability in the incident.
In October 2025, Deloitte settled a separate class action suit over the breach. While the state was not involved in that litigation, the class action suit nevertheless shielded the state by including it as a “released party,” thereby protecting the state from any claims made against it by people who did not opt out from the class action. Only 35 people opted out, according to the final settlement approved by the court in January. The state’s status as a released party is referenced in the new settlement.
Court filings showed that by January, slightly more than 47,000 eligible class members had filed claims to receive an approximate $100 payment without proof of identity theft, as well as larger reimbursements for claimants who submitted documented losses related to identity theft.
RIBridges firewall worked. But forensic report says hundreds of alarms went unnoticed.
While the cyberattack’s legal avenue is now likely exhausted of new information, the most complete technical analysis of the cyberattack remains the one the state shared, in abbreviated form, in May 2025. The third-party forensic report by CrowdStrike identified the incident’s beginning as July 2024, when Brain Cipher used a stolen username and password from a Deloitte representative to gain access to the system.
The forensic analysis could not determine how the cybercriminals gained those credentials, but the threat actors stayed in the system for about five months, accessing 28 of RIBridges’ 338 backend environments with the help of a backdoor that allowed easy entry and exit for them alone.
The last malicious activity recorded in the system was on Thanksgiving Day 2024, some time after the threat actors had already transferred large troves of data from the system to their own servers. Deloitte, however, did not notify the state until Dec. 5, 2024, a day after Brain Cipher posted to its leak site the spoils it had raided. The dark web post, in turn, prompted Deloitte to comb through their own servers.
Said McKee in May last year: “Deloitte missed some issues that we certainly hold them responsible for.”
GET THE MORNING HEADLINES.
