Subjects: Health IT
A computer hacker claims to have stolen 8 million records worth of patients’ personal and prescription drug information from a Virginia government Web site.
The hacker replaced the site with a ransom note demanding $10 million in exchange for safe return of the files.
The Web site belongs to the Virginia Prescription Monitoring Program, which tracks prescription drug abuse.
It contains 35 million prescriptions and personal information from enrollees including names, addresses and social security numbers.
The demand placed on the supposedly secure site was as follows:
“Attention Virginia! I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁 For $10 million, I will gladly send along the password.”
The hacker thoughtfully provided his email address, which is “firstname.lastname@example.org.”
“This was an intentional criminal act against the commonwealth by somebody who was trying to harm others,” Governor Timothy Kaine told the Washington Post.
The Virginia Department of Health Professions is responsible for the hacked site. Its director, Sandra Whitley Ryals has called in the FBI. Apparently the Department has back-ups of the violated database.
“This is a lesson for all health systems,” Deborah Peel, the founder of Patient Privacy Rights told HealthcareITnews. “Providence hospital system spent $8-9 million fending off lawsuits for a breach; you have to prove you can be trusted.”
The hacker threatened to sell the data by last Thursday if they were not paid off. The deadline has passed and there is no sign they followed through.
State officials have raised questions as to whether the hacker can view the records, as he or she has claimed.