On April 30, the secure site for the Virginia Prescription Monitoring Program was hacked and replaced with the following message (expletives deleted):
I have your s—! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁
For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this s— is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).
Now I hear tell the F—— Bunch of Idiots ain’t fond of payin out, but I suggest that policy be turned right the f— around. When you boys get your act together, drop me a line at firstname.lastname@example.org and we can discuss the details such as account number, etc.
Until then, have a wonderful day, I know I will 😉
Twelve days later, the site is still down — and the fate of millions of prescription drug records is unknown.
The issue was elevated to Virginia Gov. Tim Kaine late last week. On Thursday, Kaine told the Washington Post that the state will not pay the ransom, and that the FBI and Virginia State Police are investigating the computer attack.
The Virginia Prescription Monitoring Program, launched in 2003, is a state-run database that collects prescription information with the goal of tracking and preventing illegal sales, theft and abuse of controlled substances, such as OxyContin. More than 30 other states have enacted similar programs to tackle the growing problem of prescription drug abuse; it is expected that nearly every state will have such a program soon.
The Drug Enforcement Administration (DEA) says the monitoring programs have been of significant benefit. According to the DEA site:
Prescription drug monitoring programs are being used to deter and identify illegal activity such as prescription forgery, indiscriminate prescribing and “doctor shopping.” Most programs provide patient specific drug information upon request of the patient’s physician or pharmacist. Some state programs proactively notify physicians when their patients are seeing multiple prescribers for the same class of drugs. This assists healthcare professionals in managing patient care. It has been an extremely successful program to thwart diversion in a number of states.
Prescription drug monitoring sites are only accessible — or at least are supposed to only be accessible — to registered healthcare professionals, such as licensed pharmacists.
Computer security experts told ChannelWeb that the hacking underscores the need for better security of online prescription drug records and other sensitive data. The issue is a timely one, as President Obama is pushing to make even more healthcare information accessible online.
Said Paul Ferguson, advanced threat researcher for Trend Micro:
There’s not enough due diligence. There are some very clever and unscrupulous people out there who find ways to get access to this stuff.