Virginia State Health Data Held Hostage for $10M

data breach

Although advocates agree that healthcare IT will improve service and save money, they worry about the privacy implications. Those fears were brought home with a breach in the state of Virginia.

A hacker last week claimed to have seized 8,257,378 patient records and a total of 35,548,087 prescriptions from the Prescription Monitoring Program (PMP) of, a service that helps the state and medical professionals track prescription drug abuse. The April 30 breach also resulted in the PMP Web site’s front page being defaced by a message from the hacker, which appeared on Wikileaks.

In the message, the hacker demanded $10 million for access to the records — which he or she claimed were the only available copies — and said that if the state didn’t comply by today, the records would be sold to the highest bidder.

“Now I don’t know what all this s–t is worth or who would pay for it, but I’m bettin’ someone will,” the hacker wrote. “Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver’s license #).”

[cob:Pull_Quote]State officials confirmed the attack and pledged to do everything possible to solve the crime.

“A criminal investigation is currently underway regarding a potential security
breach,” Sandra Whitley Ryals, director of the Virginia
Department of Health Professions
(DHP), said in a statement. “While DHP cannot comment directly on an ongoing investigation, we can assure the public that all precautions are being taken for DHP operations to continue safely and securely.”

Virginia Gov. Tim Kaine told a local TV news network yesterday that the state would use the episode as a learning exercise.

Officials have not yet said how the breach occurred. They did say that they
found “an unauthorized message on the Web site,” which they’re studying for clues. They also said that they’ve taken further steps to prevent additional damage.

“The entire DHP system has been shut down since Thursday to protect the
security of the program data,” Ryals said. She added that the Virginia
Information Technologies Agency (VITA) and Virginia State Police have
been notified.

In the absence of specific information about the breach, experts were
left to speculate as to its cause — and how the state might have better protected itself.

“There are several things organizations can do to ensure protection at all levels and safeguard information from individuals outside and inside an organization,” Tim Brown, security software architect at CA, said in an e-mail to

“An obvious line of defense to protect a system from a hacker attack is to make sure all computers with browsers have the latest patches,” he said. “Firewalls, antivirus, intrusion detection and other layers of security protection also will likely stop the malware before it infects your network.”

Since the hacker claims to have the only copies of the data, Brown said
that a review of data archiving policies may be in order.

“It is also important to ensure your sensitive data is regularly backed up and kept in offsite storage,” he said. “You also can protect the systems and applications by limiting privileged access to only those who need to have access. You can do this with role models. Data loss prevention (DLP) technology also helps you identify sensitive information and take appropriate action when data is stored in inappropriate areas, e-mailed or saved.”

He said that an audit process is required. “Regular audits to recertify
access and track usage of sensitive data are needed for continuous security
and compliance,” he said.

Deadline nears

Meanwhile, the clock is ticking on the hacker’s ransom demands.

“If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid,” the hacker wrote in their April 30 message.

[cob:Special_Report]Virginia state authorities have not yet said how they will respond, and did not return requests for additional comment.

The news comes amid increasing interest in — and scrutiny for — health IT initiatives. The White House, for one, is in the process of launching major health care initiatives that hinge heavily on IT efforts.

Leading the executive branch’s healthcare IT initiative will be one of the many tasks of the new federal CTO, Aneesh Chopra, formerly the secretary of technology of the state of Virginia.

Nor is it clear whether Virginia residents affected by the breach need to be notified. One healthcare legal blogger wrote that although the Commonwealth of Virginia might not be
obligated by law to inform those affected, it would be a good idea.

“When I have assisted clients with these types of data breach situations in the past, I typically discuss with the client whether it is good practice to provide
notification,” wrote Bob Coffield of Flaherty, Sensabaugh & Bonasso.

Ryals acknowledged the issue. “As the criminal investigation permits, we
will be sharing additional details in the coming days on the agency’s
website including questions and answers for concerned program participants,”
she said.

Update adds comments from Ryals and Brown.

News Around the Web