Weeks after a major cyberattack hit a Rhode Island medical information database, the state’s largest public employee retirement system is seeking help with its own information technology security.
Rhode IslandEmployees’ Retirement System, Providence, issued an RFP Jan. 6 for IT security vendors who can provide an information systems security risk assessment of ERSRI’s physical office space and IT security policies and procedures.
The winning party will also perform an independent assessment of the security protocols of ERSRI’s line of business contractor, Telus, and of Telus’ payroll contractor, Ceridian Day Force.
Among other things, the contractor will be asked to review and update current security policies and procedures, enter into a contract to provide monthly on-site risk management and review of cybersecurity procedures, analysis of system output data to identify potential breaches, suggest best practices, and apprise senior management of known threats, the RFP noted.
Proposals must be received by 4 p.m. EDT on Feb. 14.
Candidates will be interviewed during the week of Feb. 24 and the contract is slated to begin March 3. As of Oct. 31, ERSRI had about $11.5 billion in assets.
The issuance of the RFP comes only weeks after the state of Rhode Island said its RIBridges data system, which links hundreds of thousands of state residents to various state programs and benefits, including Medicaid and Supplemental Nutrition Assistance Program, was the target of a cyberattack.
“To the best of our knowledge, any individual who has received or applied for health coverage and/or health and human services programs or benefits could be impacted by this leak,” the office of Rhode Island Governor Dan McKee said Dec. 14.
The leak may have involved such personal information as names, addresses, dates of birth and Social Security numbers, as well as certain banking information, McKee’s office stated.
In an updated news release issued Dec. 30, McKee’s office said the cybercriminal released some RIBridges files to a site on the dark web.
“Right now, IT teams are working diligently to analyze the released files. This is a complex process and we do not yet know the scope of the data that is included in those files, but as we’ve been saying for several weeks, we should assume that data contained in the RIBridges system has been compromised. While this data has been compromised, that does not mean it has been used for identity theft purposes, yet.”
