We must act now
By Ava Fosberg, Rhode Island Current
Rhode Island has already seen how quickly a digital failure can spiral into a full-scale crisis. The state cannot afford to wait for federal action as these threats continue to grow.
In December 2024, hackers used stolen login credentials to breach the RIBridges system. The attack exposed sensitive personal data tied to nearly 650,000 Rhode Islanders.
Residents lost access to critical services like Medicaid and SNAP. Families struggled to get benefits, verify eligibility, and access necessary care. What started as a cybersecurity issue quickly became a public health and economic crisis.
In January, the Beacon Mutual Insurance Group of Rhode Island confirmed a ransomware attack on its network. Investigators continue to determine the full scope, but early reports suggest that the attack exposed personal information belonging to hundreds of Rhode Islanders. These incidents show a clear pattern of growing vulnerability.
At the same time, threats continue to expand globally. Iran-linked cyber activity now targets U.S. hospitals and health care organizations as part of the broader international conflict in the Middle East. For Rhode Island hospitals, the growing threat of a cyberattack raises the stakes and makes the need for stronger cybersecurity an urgent priority.
In 2024 alone, health care data breaches affected over 289 million individuals, a more than 373% increase since 2021. Hospitals still treat cybersecurity as optional. Tight operating margins limit hospitals’ ability to invest in stronger systems. That pressure already shows up locally. Brown University Health reported a $17.6 million operating loss in the first quarter of fiscal year 2026, showing how little financial flexibility many local health systems have. When margins shrink, leaders often delay cybersecurity upgrades even as threats grow more sophisticated.
The cost of inaction continues to rise. Cyberattacks force system shutdowns, drive expensive forensic investigations, trigger legal action, and require long-term identity protection for residents. In 2025, Deloitte agreed to pay $5 million to help Rhode Island recover from the RIBridges breach. Even with that support, the state has spent millions responding to cyber incidents while residents face lasting risks like identity theft and fraud.
The threat is clear, will policy keep up?
At the federal level, policymakers started to respond, but targeted hospital funding did not survive the budget process.
The Biden Administration sought $800 million for high-need hospitals, along with $500 million in hospital incentives, and $141 million for HHS cybersecurity and health information protection in its fiscal year 2025 budget submitted to Congress. But those hospital-specific funds were not included in the adopted budget. In the Trump Administration’s fiscal year 2026 budget request, federal cybersecurity appears only in broader infrastructure funding through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), with no mention of dedicated support for hospitals. Broad federal funding leaves states and hospitals to carry the burden.
At the state level, Rhode Island has a cybersecurity strategy but lacks strong, enforceable requirements for hospitals. New York has already taken stronger action with clear mandates for health care systems. Rhode Island still does not require comparable hospital-specific standards, even though preventative measures cost far less than the $9 million to $10 million hospitals lose on average from a single data breach.
The RIBridges program alone operates on a budget of about $130.8 million, yet leaders do not clearly define cybersecurity spending within it. Rhode Island should redirect a small portion of program funds toward targeted upgrades. Even an extra $250,000 per hospital would make a noticeable difference, allowing systems to deploy more prevention tools. The state could also create a dedicated cybersecurity fund for hospitals and other health care facilities that offers grants or matching funds, where Rhode Island covers part of the cost of major upgrades so hospitals do not carry the full cost alone. Rhode Island must act now to get ahead of the next breach instead of paying for the consequences after.
Global threats continue to grow, and hospitals remain prime targets for hackers and cybercriminals. Under tight operating margins, even critical investments like cybersecurity can get pushed aside. Protecting our systems now means protecting our patients.
GET THE MORNING HEADLINES.
Rhode Island Current is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com.
