Is This the Future of Government Systems?

Let me start by saying that I cannot predict the future. But I can extrapolate the past forward.

The state of Rhode Island, a few years ago decided that the consulting firm Deloitte could run the state benefits systems for things like SNAP and Medicaid, among other services better and cheaper than the state could. This is not unusual; many government entities do this and, more importantly, are likely to expand doing this to save money under the next administration.

So what happened?

The governor held a Friday night news conference (that by itself is unusual). The governor said that hackers had compromised the state benefits system called RIBridges and as a result, the state decided to shut the system down to remediate the threat.

That means that state residents that depend on state benefits are, to be kind, out of luck until they figure things out.

The state decided, in 2021, to sign a new three year contract with Deloitte to run the system (I guess that means the contract is about to expire). They decided this even though Deloitte failed at building an earlier version of the system call the Unified Health Infrastructure Project in 2016. That system “suffered from massive cost overruns before launch and catastrophic failures afterward”.

Information, the state says, that was likely stolen includes names, addresses, dates of birth, Social Security Numbers, as well as certain banking information. The governor’s office said that the investigation is not done, so it will likely get worse – it rarely gets better.

The governor’s office said “To the best of our knowledge, any individual who has received or applied for health coverage and/or health and human services programs or benefits could be impacted by this leak”. That includes Medicaid, Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Child Care Assistance Program (CCAP), health coverage purchased through HealthSource RI, Rhode Island Works (RIW), Long-Term Services and Supports (LTSS), and the General Public Assistance (GPA) Program.

The state didn’t disclose the breach earlier because they wanted to try and lock the barn doors first – even though there were no more horses left in the barn.

But not to worry, the state is offering free credit monitoring services. That should fix things, right? Remember, the people who use these systems are very poor, so even accessing this useless free “mitigation” is likely hard.

And, if their bank accounts are compromised or they are unable to get health insurance benefits because the state turned off the system to stop the dumpster fire from spreading, I am sure the state will fix things. Likely not. They outsourced this part of the work to yet another company.

Deliotte, of course, tried to spin this to say that no Deloitte systems were compromised – just the ones that the state was paying them to run.

This attack won’t have much impact on you if you don’t live in Rhode Island, but that is not why I am writing about it.

It is likely that the next administration will try to outsource more and more IT without regard to your security. Do I expect that after the next breach some CEO is going to prison? Or the company who got breached will have to pay a fine that is material to their bottom line? I don’t. One reason that Europe’s laws are based on a percentage of global revenue – up to 10 percent in some cases – is to try and get executives’ attention.

So while the feds want to offensively attack China next year to fix the problem, they also want to dismember CISA and eliminate regulations that might make businesses a little bit more accountable for their poor cyber hygiene practices.

Stay tuned since we don’t know how this will play out, but if the past is any indication of the future, it won’t be pretty.

By the way, this probably means that you should be looking out for number one (you). If you need help with that, please contact us.

Credit: Ars Technica