14 DAY TRIAL // Following a security incident on the website of the Prescription Monitoring Program, after which an unknown hacker allegedly held sensitive data for ransom, the Virginia Department of Health Professions (DHP) says that the information is safe on its backup servers. The criminal investigation continues.
"Prescription Monitoring Program collects required prescription information from pharmacies across the state for certain types of drugs, such as highly addictive pain killers. Designed to help reduce drug abuse, theft, and illegal sale of prescription drugs, the prescription information is made available only to registered users of the system, including licensed drug prescribers," the DHP explains.
On April 30, the department officials noticed that the website serving the Prescription Monitoring Program had been defaced and was displaying a disturbing message. "I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password," it read.
All DHP computer systems were immediately taken offline and forensic, as well as security experts were called in to assess the damage. "The entire DHP system has been shut down since Thursday to protect the security of the program data, and state authorities including the Virginia Information Technologies Agency (VITA) and the Virginia State Police were notified immediately upon identifying the potential breach," Sandra Whitley Ryals, Virginia DHP's director, explained.
Fortunately, the hacker's claim to have destroyed all usable copies of the data proved to be false. "We are satisfied that all data was properly backed up and that these backup files have been secured," Ms. Whitley Ryals announced. Critical systems are slowly being restored, however, until full service will be available again, violations can be reported via phone.
Even so, if the sensitive data was breached, there is still a possibility that the hacker has left with a copy of it. That can translate into identity theft risks for patients, because such information can be sold on the black market. Pharmacies and other institutions licensed to distribute high-risk substances are required to send reports twice a month regarding the quantity of controlled substances given to patients. Therefore, the data stored in the Prescription Monitoring Program contains real names and addresses, correlated with Social Security Numbers and birth dates.