Virginia Health Database Breached; Ransom Note Left

A Virginia state website run by the Virginia Department of Health Professions (VDHP) and used by doctors and pharmacists in the tracking of prescription drug abuse has been breached. More than 8 million patient records were deleted and the home page was replaced with a ransom note demanding $10 million for the return of the deleted records.

The Virginia Prescription Monitoring Program website was breached and the homepage was defaced with a message alleging that the prescription database had been encrypted into a password-protected file that was being held for ransom.

The ransom message said in part:

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password.”

Officials at the state and federal levels have had little to say about the attack, but the FBI and Virginia State Police have confirmed they are investigating.

The cyber-criminal claims to have stolen records from the Prescription Monitoring Program, the VDHP’s method of tracking prescriptions for controlled substances such as narcotics. Doctors and pharmacists use the website to prevent patients from receiving controlled substances from multiple doctors and pharmacies.

The VDHP website has limited availability at this time, with most links removed.

According to the Washington Post:

This is the second major extortion attack related to the theft of health care data in the past year. In October 2008, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Relevant Links:

• http://it.slashdot.org/article.pl?sid=09/05/05/1232240
• http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html
• http://www.timesdispatch.com/rtd/news/local/article/HACK06_20090505-222609/265969/

Net Easy takes security seriously. If you're concerned about the security of your data, contact us now for a complete analysis of your current setup.