'Hacker' threatens to expose health data, demands $10M

Hoax or the real thing? Virginia health agency Web site shut down but investigators mum

Days after a hacker claimed to have broken into a database and encrypted millions of prescription records at Virginia's Department of Health Professions, it remains unclear what happened.

Whistleblower Web site Wikileaks.org last Sunday carried a report from an anonymous poster who said that the secure site for Virginia's Prescription Monitoring Program (PMP) had been broken into by a hacker making a US$10 million ransom demand.

The alleged ransom note posted on the Virginia PMP site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data.

"Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh," the hacker is supposed to have said in his note, a copy of which was available on Wikileaks. "For $10 million, I will gladly send along the password," for decrypting the data, the supposed hacker wrote.

The expletive-laden note goes on to say that authorities have seven days to decide if they will "pony up" the money. If the ransom is not paid, "I'll go ahead and put this baby out on the market and accept the highest bid," the note says.

The hacker admits that while he is unsure about the worth of the data or who would want it, "I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data," the hacker said pointing to the fact that the data included patients' names, ages, addresses, Social Security and driver's license numbers.

A call seeking comment on the incident from the Virginia PMP program office was not immediately returned. A call to the Virginia State Police seeking confirmation on whether it is investigating the reported incident also was not immediately returned.

As of Wednesday, the main PMP Web site and all links on the site were unavailable.

The PMP was set up in the wake of a spate of drug abuse-related crimes and some deaths in the commonwealth involving the painkiller Oxycontin. It allows pharmacists and health care professionals to track prescription drug abuse, such as patients who go "doctor shopping" to find more than one doctor to prescribe narcotics. According to a description of the program from a cached version of the site, as of Jan. 1, there were more than 31.6 million records in the PMP database. Doctors, pharmacists and other authorized users make requests for data from the PMP database via a secure Web page, the description said.

The Richmond Times-Dispatch reported Tuesday that the FBI and State Police had confirmed investigations of a hacking incident at the PMP. The story also quoted Virginia Gov. Timothy Kaine as saying the compromised data was not the same as patient files from doctors' offices. "These were not patient records, so it's not compromise of health-care information about particular individuals," the governor is quoted as saying in the Times-Dispatch.

The compromise comes at a time of heightened privacy and security concerns surrounding medical data. President Obama's recently passed economic stimulus package includes a health care component, which initially provides $20 billion for the creation of a national health records system. The bill mandates new privacy and security controls for health care data that are seen as being long overdue.

The controls go beyond those available under HIPAA (the Health Insurance Portability and Accountability Act) and are expected to be more strictly enforced than HIPAA rules have been.

The breach at the Virginia health agency highlights the "overall lack of compliance" with HIPAA within the health care sector, said Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas.

"HIPAA by and large has been ignored, not because it is unimportant, but because of a lack of will to really [enforce] it," MacKoul said. "Much like all other regulations, if there is no real enforcement, this type of thing will continue to happen over and over again," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackerswikileaks

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?