Rhode Island Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Rhode Island is the smallest state in the United States by land area, but its concentration of healthcare systems, defense installations, and educational institutions creates a cybersecurity risk profile far larger than its physical footprint would suggest. CVS Health — the nation's largest pharmacy chain — is headquartered in Woonsocket. Naval Station Newport and the Naval War College anchor a significant defense presence. Brown University and the Rhode Island School of Design attract world-class talent and research data. These institutions collectively generate and process enormous volumes of sensitive personal, financial, and classified information within a compact geographic area.

The breach timeline below demonstrates that Rhode Island's organizations face the same threat actors targeting far larger states — ransomware gangs, nation-state espionage groups, and financially motivated cybercriminals — but often with the resource constraints of a small-state economy. Each incident carries specific lessons about security gaps that persist across the state. Understanding this history is essential for evaluating the Rhode Island cyber threat landscape and building proportionate defenses.

Major Cyber Incidents in Rhode Island: A Timeline

2011 — South County Hospital Data Breach

South County Hospital in Wakefield disclosed that a billing department employee had been accessing patient financial records without authorization over a period of several months. The breach exposed names, Social Security numbers, dates of birth, and insurance information for hundreds of patients. The incident led to criminal charges against the employee and prompted the hospital to implement stricter access controls, role-based permissions, and enhanced audit logging across its electronic health records system.

2014 — Lifespan ACE Breach

Lifespan, Rhode Island's largest healthcare system operating Rhode Island Hospital, The Miriam Hospital, and Bradley Hospital, reported that an affiliate data management entity called Auxiliary Compliance and Ethics (ACE) had experienced unauthorized access to files containing patient information. The compromised data included names, medical record numbers, and health insurance information. While the number of affected patients was relatively small, the incident highlighted third-party data handling risks within the Lifespan network.

2017 — Lifespan Laptop Theft

Lifespan disclosed a breach affecting approximately 20,000 patients after an unencrypted laptop was stolen from an employee's car. The laptop contained patient names, medical record numbers, dates of birth, and in some cases diagnoses and procedure information. The U.S. Department of Health and Human Services Office for Civil Rights investigated and Lifespan agreed to a $1.04 million HIPAA settlement in 2020. The settlement specifically cited Lifespan's failure to encrypt portable devices as the core violation — a systemic issue that affected all of the health system's affiliated hospitals.

2019 — City of Providence Ransomware Attempt

The City of Providence detected and partially contained a ransomware intrusion targeting municipal IT systems. While the city reported that the attack was stopped before significant encryption occurred, the incident disrupted several city services and prompted an emergency review of the city's cybersecurity posture. Providence subsequently increased its cybersecurity budget and engaged external security consultants to assess and remediate vulnerabilities across municipal systems.

2021 — Brown University Cyberattack

Brown University in Providence experienced a cyberattack in March 2021 that forced the university to shut down many of its IT systems as a precautionary measure. The university took its network, VPN, and various campus systems offline while cybersecurity teams investigated the incident. While Brown stated that its most sensitive research and financial data had not been compromised, the disruption affected academic operations, email, and campus services for several days. The incident demonstrated the challenges universities face balancing open academic networks with security requirements.

2023 — Prospect Medical Holdings (Rhode Island Hospitals)

The August 2023 Prospect Medical Holdings ransomware attack affected Roger Williams Medical Center and Our Lady of Fatima Hospital in Rhode Island, along with facilities in other states. Both Rhode Island hospitals were forced to divert emergency patients, cancel procedures, and operate on paper-based systems for an extended period. The attack was one of the most significant healthcare cybersecurity events in Rhode Island history, prompting state legislators to examine cybersecurity requirements for healthcare providers operating in the state.

2023 — Rhode Island Public Transit Authority (RIPTA) Data Breach

The Rhode Island Public Transit Authority disclosed a data breach that had actually occurred in August 2021 but was not fully identified and reported until 2023. The breach exposed personal information of approximately 22,000 individuals, including current and former RIPTA employees and health plan members. Compromised data included names, Social Security numbers, dates of birth, Medicare ID numbers, and health plan enrollment information. The delayed notification drew criticism from the Rhode Island Attorney General, and RIPTA faced a class action lawsuit. The incident highlighted the importance of timely breach detection and notification.

2024 — RIBridges State Benefits System Breach

In December 2024, Rhode Island disclosed that RIBridges — the state's integrated eligibility system for Medicaid, SNAP, TANF, childcare assistance, and other public benefits programs — had been breached by the Brain Cipher ransomware group. The breach potentially exposed the personal data of hundreds of thousands of Rhode Island residents who had applied for or received public benefits. Compromised information included names, Social Security numbers, dates of birth, addresses, and in some cases banking information. The incident was one of the most significant cyberattacks on a state government benefits system in U.S. history and prompted emergency response from the Governor's office.

Rhode Island's Data Breach Notification Law

Rhode Island's breach notification requirements are established under the Rhode Island Identity Theft Protection Act of 2015 (RIGL 11-49.3). The law requires any person or entity that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information of Rhode Island residents to notify affected individuals within a reasonable time after confirmation of a breach, not to exceed 45 calendar days. This is one of the shorter notification deadlines among U.S. states.

If a breach affects more than 500 Rhode Island residents, the organization must also notify the Rhode Island Attorney General and the major credit reporting agencies. The Attorney General maintains public records of reported breaches. Personal information under the statute includes an individual's name combined with Social Security numbers, driver's license numbers, financial account information, medical records, health insurance data, and email addresses with passwords. For complete details on Rhode Island's regulatory framework, see our Rhode Island compliance and privacy law guide.

Which Rhode Island Industries Are Most Targeted?

Healthcare

Rhode Island's healthcare sector — dominated by Lifespan (Rhode Island Hospital, The Miriam Hospital, Bradley Hospital), Care New England (Women & Infants Hospital, Kent Hospital), and Prospect Medical (Roger Williams, Our Lady of Fatima) — represents the most frequently breached industry in the state. The Lifespan HIPAA settlement, the Prospect Medical ransomware attack, and the RIPTA health plan exposure all demonstrate the persistent risk to medical data. Organizations should invest in healthcare-specific cybersecurity programs that address both clinical and administrative system security.

Defense and Naval

Naval Station Newport, the Naval War College, and the Naval Undersea Warfare Center Division Newport collectively represent one of the most significant naval installations on the East Coast. The surrounding defense contractor ecosystem handles controlled unclassified information and classified data related to submarine warfare, torpedoes, and naval electronics. These organizations face persistent nation-state targeting, particularly from Chinese and Russian intelligence services.

Higher Education

Brown University, the Rhode Island School of Design, the University of Rhode Island, and other institutions hold extensive student, employee, and research data. Universities face a unique challenge: they must maintain open academic networks for research collaboration while protecting sensitive data from increasingly sophisticated threat actors. The 2021 Brown University attack demonstrated these competing priorities. Education IT security programs must balance openness with protection.

State Government

The RIBridges breach demonstrated that Rhode Island's state government systems hold vast quantities of personal data for some of the state's most vulnerable populations. State agencies managing benefits, taxation, and licensing are attractive targets because they aggregate data from large portions of the population and may operate on aging technology infrastructure.

What Rhode Island Businesses Must Do After a Breach

If your Rhode Island organization experiences a data breach, the following steps are required or strongly recommended under state law:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve forensic evidence for investigation

• Conduct a thorough investigation — determine the scope of data accessed, the intrusion method, and whether the attacker retains ongoing access

• Notify affected individuals within 45 days of confirming the breach, as required by RIGL 11-49.3, including a description of the incident and recommended protective actions

• Notify the Rhode Island Attorney General if 500 or more residents are affected, providing breach details and response measures

• Notify credit reporting agencies if 500 or more individuals are affected by the breach

• Offer identity theft protection services — while not specifically mandated, it is considered best practice and may be required under federal regulations like HIPAA for healthcare breaches

• Document the entire response timeline — maintain records of discovery, containment, investigation, and all notifications for regulatory review and potential litigation

How to Protect Your Rhode Island Business Before an Incident

Rhode Island's breach history reveals recurring themes: unencrypted portable devices, delayed breach detection, insider threats, and ransomware targeting healthcare. Businesses can materially reduce their risk by addressing these specific weaknesses:

• Encrypt all portable devices and media — the Lifespan laptop theft and $1.04 million HIPAA settlement demonstrate the direct financial consequences of unencrypted data on portable devices

• Implement multi-factor authentication on all remote access, email, and privileged accounts

• Deploy breach detection monitoring — the RIPTA breach went undetected for over a year, dramatically increasing both the scope of exposure and regulatory consequences

• Train employees on security awareness including phishing recognition, proper handling of portable devices, and reporting procedures for suspicious activity

• Segment networks to prevent lateral movement, particularly in healthcare environments where clinical and administrative systems should be isolated

• Conduct regular vulnerability assessments and penetration tests to identify exploitable weaknesses before attackers do

Many Rhode Island organizations, particularly healthcare systems and educational institutions, partner with managed security providers to maintain continuous monitoring capabilities that their internal teams cannot sustain alone.

Frequently Asked Questions

How quickly must a Rhode Island business report a data breach?

Under RIGL 11-49.3, Rhode Island businesses must notify affected individuals within 45 calendar days of confirming a breach. This is one of the shorter notification deadlines in the United States. If 500 or more residents are affected, the Attorney General and credit reporting agencies must also be notified within the same timeframe.

What are the penalties for failing to report a breach in Rhode Island?

The Rhode Island Attorney General enforces the breach notification law under the Deceptive Trade Practices Act. Penalties can include civil fines of up to $100 per individual affected (up to $25,000 per incident), injunctive relief, and attorney's fees. The RIPTA breach demonstrated that delayed notification draws particular scrutiny from the AG's office.

What was the most significant cyberattack in Rhode Island history?

The December 2024 RIBridges breach is the most significant in terms of scope and impact. The state's integrated benefits system held data for hundreds of thousands of Rhode Island residents — including Medicaid recipients, SNAP beneficiaries, and childcare assistance applicants — making it potentially the largest exposure of personal data in Rhode Island history. The Prospect Medical ransomware attack was the most operationally disruptive, forcing two hospitals into degraded patient care for weeks.

Does Rhode Island have a comprehensive data privacy law?

Rhode Island does not currently have a comprehensive consumer data privacy law comparable to the CTDPA or CCPA. The state's primary data protection framework consists of the Identity Theft Protection Act (breach notification), the Personnel Records Inspection Act, and various sector-specific federal regulations. However, legislative proposals for comprehensive privacy legislation have been introduced and may advance in future sessions.

Are Rhode Island defense contractors subject to CMMC requirements?

Yes. Defense contractors and subcontractors working with Naval Station Newport, the Naval War College, Naval Undersea Warfare Center, or any DoD entity must comply with CMMC requirements when handling controlled unclassified information. CMMC Level 2 requires implementing all 110 controls in NIST SP 800-171 and undergoing third-party assessment. Many small Rhode Island defense firms will need external support to achieve and maintain compliance.