Deloitte Sued Over Breach of Government Benefits Recipient Data

Deloitte Consulting LLP failed to protect the sensitive information of Rhode Island individuals applying for or receiving government benefits, leading to a December cyberattack that exposed the personal data of thousands, a proposed class action said.

Deloitte didn’t take reasonable measures to protect its systems, monitor its computer network, or provide individuals with prompt notice after the breach, according to a complaint filed Sunday in the US District Court for the Southern District of New York.

Deloitte, which maintains the systems of Rhode Island’s social services platform RIBridges, first became aware of a cyberattack to its servers on Dec. 5, according to the complaint.

It notified Rhode Island government officials on Dec. 13 of a “major security threat,” the complaint said, and the RIBridges benefits portal was taken offline to address the attack.

Cybercriminals were able to infiltrate Deloitte’s systems, and stole unencrypted documents about individuals who applied for or enrolled in state administered benefits by RIBridges, it said.

In its notice to Rhode Island officials, Deloitte said any individual who has received or applied for health coverage or benefits “could be impacted” by the breach. Some of the programs affected include Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Child Care Assistance Program (CCAP).

Some of the information disclosed included names, addresses, dates of birth, Social Security numbers, and banking information, according to the complaint. Deloitte hadn’t sent notices of the breach to affected individuals before the filing of the suit, it said.

During a Dec. 14 press conference, Rhode Island Governor Dan McKee said the data stolen could “be exposed” in the “coming week,” based on information acquired by government officials.

“We know that this situation is alarming, and it’s stressful,” McKee said, adding that state officials are continuing to monitor the situation. The governor said he believes the personal data of hundreds of thousands could have been misappropriated.

Named plaintiff Patricia Mahoney, a Rhode Island resident and a recipient of benefits through RIBridges, accuses Deloitte of negligence, breach of implied contract, and unjust enrichment.

She seeks compensatory damages, reimbursement of litigation costs, and injunctive relief, including asking the court to require Deloitte to improve its security systems, perform annual audits, and pay for lifetime credit monitoring services.

Deloitte didn’t immediately respond to a request for comment.

Mason LLP, Law Offices of Peter N. Wasylyk, Goldenberg Schneider LPA, and Levin Sedran & Berman LLP represent the plaintiff and proposed class.

This case is Mahoney v. Deloitte Consulting LLP, S.D.N.Y., No. 1:24-cv-09575, complaint filed 12/15/24.