A Virginia government Web site was replaced last week with a ransom note from a hacker claiming he stole 8.3 million patients' personal and prescription drug information. The hacker says he wants $10 million for the safe return of the information.
The Virginia Prescription Monitoring Program's site tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees' personal information, such as names, social security numbers and addresses.
According to Wikileaks.org, an online clearinghouse for leaked documents, on April 30 the secure site for the Virginia Prescription Monitoring Program was replaced with the following ransom demand:
"Attention Virginia! I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password." (See sidebar for link to full note).
The hacker, who taunts the FBI and lists his own email address as "firstname.lastname@example.org," claims the database of prescriptions has been bundled into an encrypted, password-protected file.
The Virginia Department of Health Professions Web site has been temporarily disabled and now features a notice saying the site is "experiencing technical difficulties which affect computer and email systems." According to the department's director, Sandra Whitley Ryals, the breach is under federal investigation.
Speculation has risen about whether or not the Virginia Department of Health Professions has back-ups of the patient database.
"It is possible that they do have back-up, but they fear the massive damage if patients data is used for identity theft," says Deborah C. Peel, MD, founder of Patient Privacy Rights.