Active breach tracker Rhode Island Disclosed October 3, 2025

Brightstar Global Solutions Corporation Data Breach 2025: 103,879 Affected (Including Health Data) · Now Brightstar Lottery PLC · RI Health Plan

Brightstar Global Solutions Corporation, the Rhode Island lottery technology operator formerly part of IGT, filed an HHS OCR breach on October 3, 2025 affecting 103,879 individuals. Unauthorized access was discovered November 17, 2024 and the data review completed August 21, 2025 — an eleven-month notification gap. Exposed data per state AG notices includes names, dates of birth, government IDs, Social Security numbers, financial account information, and health data. Kroll identity monitoring offered. Multiple plaintiffs' firms investigating. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 17, 2024

Unauthorized third party access to Brightstar/IGT internal corporate systems discovered

Nov 17, 2024

Same-day detection per company notice

Aug 21, 2025

Data review completed identifying impacted individuals and data elements

Oct 3, 2025

Notification letters mailed; HHS OCR filing; state AG filings (CA, ME, MA, MT, OR)

Oct 3, 2025

HHS OCR portal entry — 103,879 affected, Hacking/IT Incident, Network Server

Oct 6, 2025

Vermont Attorney General notice filed; multiple plaintiffs' firms announce investigations same week (Strauss Borrelli, Lynch Carpenter, Murphy Law Firm, Edelson Lechtzin, Schubert Jonckheer & Kolbe, Cafferty Clobes, Federman & Sherwood, Pittman Dutton)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Government identification documents or numbers (e.g., driver's license) Social Security number or other tax identifier

03

Contact & insurance

Phishing + targeted scams

Full name Contact information Financial account information Health data Other information collected in connection with the individual's relationship with Brightstar or a lottery/gaming venue supported by Brightstar

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Lynch Carpenter, LLP Murphy Law Firm Edelson Lechtzin LLP Schubert Jonckheer & Kolbe LLP Cafferty Clobes Meriwether & Sprengel LLP Federman & Sherwood (investigating) Pittman Dutton Hellums Bradley & Mann, P.C. (investigating) Almeida Law Group (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Brightstar Global Solutions Corporation, a Rhode Island lottery-technology operator that until recently was part of International Game Technology (IGT), filed an HHS OCR breach on October 3, 2025 reporting 103,879 affected individuals. The OCR portal classifies the entity as a Health Plan and the incident as a Hacking/IT Incident at Network Server — consistent with employee, retiree, or participant health-plan records being among the data sets stored on the compromised internal systems. Unauthorized access was actually discovered eleven months earlier, on November 17, 2024, and the data review did not complete until August 21, 2025.

Timeline

  • November 17, 2024 — Brightstar and IGT discover that an unauthorized third party accessed certain internal corporate systems.
  • August 21, 2025 — Forensic review of impacted data completes, identifying affected individuals and data elements.
  • October 3, 2025 — Notification letters begin mailing. Brightstar files with HHS OCR (103,879 affected) and with the Attorneys General of California, Maine, Massachusetts, Montana, Oregon, Washington, New Hampshire, Iowa, Nebraska, South Carolina, and Texas. Rhode Island AG receives notice the same week; the Rhode Island count is 6,354 residents. Other confirmed resident counts: Washington (1,796), Massachusetts (1,483), Montana (208), Maine (116).
  • October 6, 2025 — Vermont Attorney General receives notice. Multiple plaintiffs’ firms announce investigations the same week: Strauss Borrelli, Lynch Carpenter, Murphy Law Firm, Edelson Lechtzin, Schubert Jonckheer & Kolbe, Cafferty Clobes Meriwether & Sprengel, Federman & Sherwood, Pittman Dutton Hellums Bradley & Mann, and Almeida Law Group.

The roughly eleven-month gap between discovery and individual notification is a recurring complaint in the plaintiffs’ bar’s public investigation notices and is likely to feature in any class complaint.

The company has since rebranded: Brightstar Global Solutions Corporation is now publicly known as Brightstar Lottery PLC, a foreign private issuer traded on U.S. markets and registered with the SEC (Commission File No. 001-36906, formerly traded under International Game Technology PLC). The July 2025 corporate split separated Brightstar Lottery (lottery technology) from IGT (casino gaming and FinTech).

What was exposed

Per the state Attorney General notice letters, the data elements involved may include:

  • Full name and contact information
  • Date of birth
  • Government identification documents or numbers, such as driver’s license
  • Social Security number or other tax identifier
  • Financial account information
  • Health data
  • Other information collected in connection with the individual’s relationship with Brightstar or a lottery or gaming venue supported by Brightstar

The presence of health data in the disclosed categories — combined with the OCR filing under the Health Plan classification — is what places this incident on this page. The most likely health-data subset is employee or retiree group-health-plan information rather than patient records.

What the plan is offering

Brightstar engaged Kroll to provide identity-monitoring services at no cost for 24 months, including credit monitoring, fraud consultation, and identity-theft restoration. Affected individuals can enroll at https://enroll.krollmonitoring.com using the enrollment code printed in their individual notification letter. The enrollment deadline is stated in each individual letter. A dedicated assistance line is available at (866) 819-2404, Monday through Friday.

Class-action posture

As of early June 2026, no consolidated class-action complaint has been confirmed on the public dockets in our review, but at least nine plaintiffs’ firms have publicly opened investigations within days of the October 3 notice: Strauss Borrelli PLLC, Lynch Carpenter LLP, Murphy Law Firm, Edelson Lechtzin LLP, Schubert Jonckheer & Kolbe LLP, Cafferty Clobes Meriwether & Sprengel LLP, Federman & Sherwood, Pittman Dutton Hellums Bradley & Mann P.C., and Almeida Law Group. ClassAction.org has noted that its investigation into this matter is now complete — suggesting attorneys coordinating through that aggregator have moved toward a filing decision. The recurring themes in firm announcements are (1) the eleven-month delay between discovery and notification, (2) the sensitivity of the data set (SSN plus financial plus health), and (3) the size of the affected population. District of Rhode Island and possibly the District of Nevada (IGT’s headquarters at the time of the incident) are the venues to watch for any consolidated complaint.

What to do

  1. Watch your mail for a notification letter from Brightstar Global Solutions Corporation. The letter carries your personal enrollment code for Kroll identity monitoring.
  2. Enroll in the Kroll monitoring before the deadline in your letter. Twenty-four months of credit monitoring plus identity-theft restoration is materially better than nothing, especially given that SSN was in the data set.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account fraud and it stays in place after the Kroll coverage expires.
  4. Pull free credit reports at annualcreditreport.com and review for unfamiliar accounts.
  5. If you are a Rhode Island lottery retailer, vendor, employee, or contractor of Brightstar/IGT and you have not received a letter by mid-2026, contact the Brightstar assistance line at (866) 819-2404 to confirm whether you were in scope.
  6. Decide on class-action participation when a complaint is filed and a class notice issues. Until then, retaining your notification letter and the postmarked envelope preserves your standing.
  7. Stop the ongoing flow of your health plan data. HealthConsent files HIPAA restriction requests so the health and benefits data exposed in this breach is not continuously re-shared across insurance networks and third-party data brokers.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.