The woman who now spends 15 to 30 minutes a day checking her bank information, even after setting up new accounts to avoid any more surprise Amazon charges. The mother of a 2-year-old claimed as a dependent on a stranger’s tax return. Another woman who now locks and unlocks her EBT card every time she uses it. The man who claims his “time has been lost forever and cannot be recaptured.”
These are a few experiences cited by plaintiffs in a March 28 class action lawsuit against the architect and vendor of the state of Rhode Island’s online public benefits and health insurance marketplace portal, RIBridges. The system was hacked by cybercriminals in July 2024, exposing the personal information of an estimated 644,401 Rhode Islanders. The data breach went undetected and unpublicized until mid-December. The cybercriminal group Brain Cipher took credit for the breach and leaked the data online shortly before the new year.
Now the plaintiffs are one step closer to possible relief under a tentative agreement with defendant Deloitte.
Documents filed in the U.S. District Court for the District of Rhode Island show the parties entered into mediation in June. Following an Aug. 19 mediation session, lawyers for both sides told the court on Aug. 25 that they’d reached an agreement “in principle” and would file a preliminary-approval motion within 45 days. Details, however, are slim as to what that settlement might look like.
Peter Wasylyk, who serves as the plaintiffs’ local liaison on the multistate legal team representing the aggrieved, said in a phone call Thursday afternoon that “it’s only internally settled.”
“So at this point, unfortunately, there’s no information to give other than what was filed with the court,” Wasylyk said. “Once the final settlement is drafted, we’re going to file it with the court. I’m sure we’ll have a lot more to say once we get the final settlement.”
On Sept. 5, District Judge Melissa R. DuBose extended a stay on approval so that both parties can work out the final settlement on paper. The parties have until around Oct. 9 to file their draft agreement for court approval.
The tentative settlement intends to resolve the case Pannozzi v. Deloitte Consulting LLP, which merged a set of six interrelated lawsuits filed in response to the RIBridges data breach into one case.
A small number of people who did not apply for benefits were also affected, as the federal government allows states one connection to national databases used to determine benefit eligibility, a pathway RIBridges fulfills in the Ocean State.
People affected by the breach — whose stolen data may have included names, addresses, Social Security numbers, and health and banking information — were notified earlier this year and provided free credit monitoring.
If the court approves the settlement, it’s likely a public claims site would go live so eligible people could apply for any possible compensation. Following that, a final court “fairness hearing” typically approves the settlement terms and payouts.
Deloitte has already reimbursed the state $5 million for credit monitoring and other costs associated with the incident. Neither Deloitte nor the Rhode Island Department of Administration — which runs the RIBridges system through its technology office — responded to requests for comment.
A separate civil investigation by the office of Rhode Island Attorney General Peter Neronha is still ongoing, spokesperson Tim Rondeau said in an email Thursday.
Meanwhile, the state has in the final steps of securing a vendor, The Northland Highland Holding Company LLC, to “modernize” the RIBridges system, according to a procurement determination form posted online in July. The RIBridges architecture dates back to the late 2010s and, last year, the state started seeking a new vendor to build upon, but not replace, Deloitte’s existing system. The nearly $3.8 million contract would run from Jan. 1, 2026, through June 30, 2027, with four annual renewals possible after the existing contract period.
Deloitte points finger at Brain Cipher
The March 28 filing from the plaintiffs and their attorneys allege that Deloitte’s “lax data security policies” helped to create the conditions for the breach, and that “Plaintiffs and Class Members were injured and lost money or property, which would not have occurred but for the unfair and deceptive acts, practices, and omissions” it alleges by Deloitte.
“Deloitte was at all times fully aware of its obligation to protect the personal and financial data of consumers, including Plaintiffs and members of the Class,” the 71-page suit reads. “Deloitte was also aware of the significant repercussions if it failed to do so.”
In a 52-page memo filed on May 27 in support of Deloitte’s motion to dismiss the case, the defense argued that the multibillion-dollar consultancy actually had no duties to the plaintiffs or any consumers, but to the state alone.
The memo signed by one of Deloitte’s attorneys, Jeffrey S. Brenner of Providence firm Nixon Peabody LLP, argues that the suit does not “allege any facts establishing a direct relationship between Deloitte and Plaintiffs — either through contract, commerce, or otherwise.”
“Indeed, Plaintiffs do not even allege that they were aware at any point prior to the RIBridges Incident that Deloitte had a role in the Rhode Island State-managed RIBridges system, much less that they had any direct relationship with Deloitte at any point whatsoever,” the memo reads.
Brenner concluded that Brain Cipher was the true source of the plaintiffs’ woes, and that the cyber gang’s actions were “specifically designed to subvert and evade Deloitte’s operation of the RIBridges system.”
“Thus, even if Plaintiffs were able to establish that Deloitte breached a duty of care, Brain Cipher’s criminal cyber-attack severs the causal chain and renders any alleged negligence on the part of Deloitte too ‘remote’ to give rise to liability,” the attorneys wrote.
Because Brain Cipher was the ultimate source of injury, the attorneys argued, Deloitte could not be held accountable for the impact alleged by the plaintiffs. The defense was not too impressed by the extent of that impact either, writing that the complaint offered “no specific facts tying their alleged injuries to the RIBridges Incident.”
In the case of one plaintiff who testified in court documents that he had lost irretrievable time dealing with the breach’s after-effects, the defense wrote that the plaintiff “fails to include any specific allegations of how his lost time would have been spent — and expressly alleges that it may have been used for ‘recreation.’”
“Moreover,” the memo adds, “the theory that they were damaged as a result of the RIBridges Incident is facially inconsistent with Plaintiffs’ own admission that thousands of data breaches occur every year that could just as likely be the cause of the alleged injuries.”
This story was originally published by the Rhode Island Current.
