14 DAY TRIAL // An unknown hacker defaced the website of the Virginia Prescription Monitoring Program and left a message saying that he made an encrypted backup of the medical information stored in the database and deleted the original. A security breach has been confirmed by the Virginia Department of Health, but officials have refused to comment on the hacker's claims.
The ransom note was initially reported by whistleblowing website Wikileaks. "I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password," it reads.
Sandra Whitley Ryals, director of Virginia's Department of Health Professions, directed requests for comment to the FBI. "There is a criminal investigation underway by federal and state authorities, and we take the information security very serious," she commented for Security Fix.
The security breach is said to have occurred on April 30, forcing the Department of Health Professions to shut down the website, which remains suspended to date. A security audit is underway and systems are being restored as they are cleared by the investigators. "Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete."
Communication by e-mail has also been temporarily suspended, but the department has set up a Web page listing phone and fax contact numbers for use until the technical difficulties are addressed. Ms. Whitley Ryals pointed out that health-care licenses would continue to be issued and that any reported violation would be investigated.
Blackmail involving stolen data is not a common occurrence, because it implies more risks for the cyber-criminals, who generally prefer selling such sensitive data on the underground market. Nevertheless, back in November 2008, Express Scripts, a leading pharmacy benefit management company in the U.S. and Canada, announced that hackers had penetrated its infrastructure and copied the personal information of millions of patients. The perpetrators contacted the company and threatened to disclose the data if they were not paid. Express Scripts not only refused, but also placed a bounty of $1 million on the identity of the extortionists.
In a similar incident, a California man tried to blackmail the U.S. branch of car manufacturer Maserati after he had stolen a database containing customer personal information from one of its promotional campaign websites. The 60-year-old hacker was later identified and arrested.
The Obama administration is pushing for digitizing medical records in an attempt to reduce and streamline health-care costs. Security researchers warn that rushing such efforts without considering all security aspects will open holes for attackers to exploit. A Dartmouth College professor recently published a report about how he located impressive amounts of medical records, leaked from all sorts of health-care organizations, on P2P file-sharing networks.