Virginia medical records hijacking -- update

We reported earlier this week about a hacker who broke into a patient database and encrypted millions of prescription records at a Virginia health agency. The agency’s Web site remains offline except for a static Web page offering contact information. Computerworld’s Jaikumar Vijayan reports that a statement released yesterday from the Virginia Department of Health Professions (DHP) said that all the data has been backed up and that the backup files were secured.

A DHP spokeswoman said today that the decision to keep the agency’s Web site offline was an effort to remain cautious while the State Police and the FBI investigate the incident. The DHP is carrying on with all of its normal licensing and regulatory activities, but none of its online services are available, the spokeswoman said. “Our Web applications will remain non-interactive until it is determined by experts both criminal and IT, that it is completely safe for us to bring it back up,” she said.

The agency disabled the Web site last Thursday after an alleged hacker posted a note claiming to have broken into the secure site for the Virginia DHP’s Prescription Monitoring Program (PMP). The note claimed the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions in a PMP database and then deleted the original data. The hacker sought a $10 million ransom for the password to decrypt the data.

“Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh,” the hacker is supposed to have said in his note, a copy of which was available on whistleblower site Wikileaks.org which was first to report the incident last Sunday. The note gave DHP officials one week to “pony up” the ransom. If it failed to do so, the hacker threatened to sell the data, which includes names, addresses, Social Security numbers, to the highest bidder.

After initially keeping mum about the incident, Virginia DHP Director Sandra Ryals late yesterday issued a statement confirming a criminal investigation “regarding a potential security breach” of the PMP database. The statement said the agency could not publicly disclose details of the incident because of the ongoing investigation. It also said all the has been “properly backed up and that these backup files have been secured.” “The entire DHP system has been shut down since Thursday to protect the security of the program data,” the statement said.

The PMP was set up as a way for pharmacists and health care professionals to track prescription drug abuse, such as incidents of patients who go “doctor-shopping” to find more than one doctor to prescribe narcotics. According to a description of the program from a cached version of the site, there were more than 31.6 million records in the PMP database as of 1 January. Doctors, pharmacists and other authorized users make requests for data from the PMP database via a secure Web page, the description said.

A spokeswoman from the Virginia State Police today confirmed that it is investigating the reported breach along with the FBI. According to the spokeswoman, the state police were contacted by the DHP last Thursday.

“We immediately initiated an investigation into the allegations made in the extortion letter and any potential intrusions into the department’s servers right way,” she said. She would not comment further because the investigation is ongoing.