RI State Auditor Repeatedly Warned About Security Risks for RI Bridges
Ken Block, MINDSETTER™
RI State Auditor Repeatedly Warned About Security Risks for RI Bridges
The audit report for the fiscal year ending June 2023 (the most recent report available) contains the following warnings. I emphasize them to highlight the crucial information.
GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST
On page 6 of the report, “The State updated its current cybersecurity readiness and has begun to identify risk mitigation priorities and the resources necessary to implement necessary corrective action. The State does not currently have sufficient resources dedicated for the size and complexity of State operations and risk mitigation is not progressing quickly enough.”
This warning appears in four years’ worth of Auditor reports, worded precisely the same way.
For four years, the Auditor warned us that we lacked the resources to protect our confidential information. The governor’s office and the legislature did not resolve the problem – for years.
How about this one, found on page 8? “Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and MMIS systems.” This audit finding points right at the systems that were hacked.
Now that we are faced with responding to a data breach, I wish I had not come across this finding on page 322: “The state needs to further enhance its coordination and training to improve its incident response capabilities in the event of a data breach.”
If the RIDOT mess has taught us anything, it should be that state vendors cannot be trusted to protect the State’s interests. These businesses will always prioritize their own interests higher than the state’s. This finding is important, and changes should be made as soon as possible: “The State relies on external vendors for RIBridges security reviews. Reviews are not happening frequently enough.”
The audit report is hundreds of pages long, and I have only had time to search it for very specific issues. However, while reviewing cybersecurity concerns, I found this one, which should give us all heartburn. From page 310: “The Treasury lacks dedicated internal audit and information system (IS) security functions common in most state Treasury operations to ensure that financial and IS security controls are in place and operating effectively.”
The state's vulnerabilities are simply greater than just RI Bridges
We have been and were warned. Will our government now step up its cybersecurity game?
The full audit report can be found here: http://www.oag.ri.gov/reports/SA_RI_2023.pdf
First published 12/16/2024 6:02 PM
History of Deloitte and UHIP in Rhode Island
2013 — “Original” Budget
The project — which goes back to the Chafee administration, which saw federal funding on the table for the technology for both boosting enrollment and tracking beneficiaries under Obamacare — was originally budgeted to cost between $110 and $135 million.
UHIP officially launched in 2013 with the “ultimate” goal of saving Rhode Islanders “more than $90 million each year, including more than $40 million in state general revenue.”
2015 — Costs Tripled
The UHIP cost tripled to $364 million by 2015 — even before the hybrid portal was launched. And taxpayer groups weighed in.
“With a similar net cost to Rhode Islanders as the 38 Studios debacle and the initial 38 Stadium proposal, the UHIP project is yet another example of government inefficiency and special interest spending, which will consume upwards of $77 million in state taxpayer dollars as well as hundreds of millions from federal taxpayers," wrote the Rhode Island Center for Freedom and Prosperity in September 2015.
2016 — Rollout By Raimondo Administration "Beyond Embarrassment"
“Impatience on behalf of state agencies’ leaders and inadequate preparation resulted in a half-baked program being thrust upon Rhode Islanders," said Finance Chairwoman Patricia Serpa in October of 2016.
"This time, it went beyond embarrassment and inconvenience, leaving our most vulnerable citizens — children, the elderly, the disabled, the needy — without support. This avoidable blunder affected thousands of human lives, and those responsible for it should account for their actions,” she added.
Rhode Island's biggest-ever IT project launched at the end of September — and what was originally a $135 million budget turned into $364 million the prior year. The state requested an additional $124 million in federal funding to bring the total to nearly a half billion dollars, for roughly $487.4 million from 2011 through 2018.
2016 — RI's Consultant, Deloitte, Had Problems With a Similar Project in Kentucky
Program vendor Deloitte had come under fire in Kentucky for the rollout of their “one-stop shop for benefits,” called “benefind.”
Deborah Yetter wrote for the Courier-Journal:
The launch of a new state public benefit system drew harsh criticism Thursday from lawmakers, with one calling for a state attorney general's examination of the contract with Deloitte Consulting, the company that built the $100-million system known as benefind.
"It seems like our most vulnerable populations are the ones who have paid for the shortcomings," Sen. Danny Carroll, a Paducah Republican, said of the system that caused massive disruptions in public benefits such as Medicaid and food stamps earlier this year. "Maybe that's something the attorney general should take a look at."
Carroll, co-chairman of the joint House-Senate Program Review and Investigations Committee, which held Thursday's hearing, suggested the attorney general could review whether Kentucky could recoup any of the funds it paid Deloitte and whether the contract offered sufficient protection to Kentucky in light of problems with the launch.
2017 — More Money Needed to Fund UHIP and Deloitte
Rhode Island then looked for an additional $124 million from the federal government for Fiscal Year 2018.
‘’This project continues to come in under the $364M that we have stated will be the cost for the first 5 years of the project. The request...to the federal government for authorization [is] for up to an additional $123.6M,” said Sophie O’Connell with the Rhode Island Office of Health and Human Services.
"This request preserves the state’s ability to consider policy options for accessing an elevated level of federal matching funds in the future. These are not base project costs and this represents a request for authorization for federal funding which may or may not become part of an EOHHS budget request to the Governor and then the General Assembly for FY18. We expect to receive a response from the federal government on this request this fall," said O'Connell.
January, 2017 — Raimondo Takes "Decisive Action" Months Later
As GoLocal reported in 2017:
Governor Gina Raimondo announced on Thursday that she took “decisive action” nearly four months following the botched UHIP rollout by accepting the resignations of two high-level staffers and withholding millions in payments to vendor Deloitte.
Critics of UHIP, which has adversely impacted thousands and is the subject of an ACLU lawsuit, were not impressed, however, by Raimondo’s assertion that action was taken quickly or effectively — and questioned the ousting of Melba DePena and Thom Guertin while keeping Secretary of Health and Human Services, Elizabeth Roberts.
“After four long months, the issue is not firing two people who weren't the real decision-makers,” said House Minority Leader Patricia Morgan. “The issue is why the top leaders chose to launch a woefully incomplete system to begin with. Those leaders knew it was not ready. "
“This is Governor Raimondo's total failure of leadership and the height of her arrogance,” said Republican Party Chair Brandon Bell. “She ignored warnings about launching from the federal government, she fired approximately 40 people prematurely and she hired political people who had no business running the Department of Human Services."
Among those who criticized Raimondo on Thursday was Nicholas Oliver with the Rhode Island Partnership for Home Care, who has seen significant ramifications result from the UHIP problems.
“Removing DHS Director DePena and Chief Digital Officer Guertin does not resolve provider reimbursement delays, nor resolves the current access to healthcare barriers caused by this UHIP implementation failure. I was underwhelmed by the Governor’s remarks today,” said Oliver.
February 2017 — Roberts Out, Wood Demoted
GoLocal reported:
Former Rhode Island Lt. Governor Elizabeth Roberts will resign as Secretary of Health and Human Services. In addition, Jennifer Wood who has served as Roberts' long-time deputy will be demoted.
The most damning development will be the release on Thursday of a report drafted in part by top Raimondo staffer Eric Beane.
That report will be released to the House Oversight Committee and is expected to unveil serious issues in management, decision-making, and a technology that is more flawed than previously reported.
February 2017 — Raimondo Speakes at Deloitte Conference
GoLocal unveiled that then-Governor Gina Raimondo was in California - at an event sponsored by UHIP consultant Deloitte, who she blasted earlier that week.
As GoLocal reported:
Raimondo's schedule for Friday lists partial details about the "Girls Who Code" summit.
But the Girls Who Code Facebook page provides even more information, including sponsor Deloitte.
"We paid them a lot of money, we didn’t get what we paid for," Raimondo said on Wednesday, of Deloitte's involvement in the UHIP debacle. "And they represented to us that it was in much better shape than in fact it was: defective functionality, incomplete interfaces, engines that still aren’t working."
"Deloitte is not paying for any of the travel," said Raimondo spokesperson David Ortiz on Friday. "She had already committed to be at the event, and was able to have a private conversation with the CEO of Deloitte consulting, who committed to being in regular communication with the Governor."
2017 — More Deloitte Problems
In 2017, there were more problems linked to Deloitte.
- Settlement Reached in Lawsuit Over Food Stamp Benefit Delays Caused by UHIP
- Federal Court Appoints Special Master
- Latest Deloitte-UHIP Debacle - Incorrect Tax Forms Sent to 3,000 HealthsourceRI Members
2019 — $11 Million Paid to Dead People and Other Key Findings of RI State Audit
GoLocal reported:
The Office of the Auditor General of Rhode Island issued a blistering report unveiling the payment of approximately $11 million paid to 10,800 dead people and other serious failures.
The report released before the House Oversight Commission by Rhode Island Auditor General Dennis Hoyle found serious flaws in compliance with federal requirements, potential technology security controls, and failed fiscal management.
The 443-page report found that a number of the failures were tied to the state's controversial UHIP computer system -- the program that the administration of Governor Raimondo has been trying to rebrand it as RIBridges.
The mismanagement of UHIP has led to oversight by the Federal Court to ensure the Raimondo administration complied with federal law.
June 2021 — McKee Signed 3-Year Extension with Deloitte
Since then, the McKee administration has paid Deloitte nearly $150 million:
2025 (to date)
DELOITTE CONSULTING LLP
$9,816,933.92
2024
DELOITTE CONSULTING LLP
$53,918,159.61
2023
DELOITTE CONSULTING LLP
$45,399,066.36
2022
DELOITTE CONSULTING LLP
$34,738,925.25
