Hacker says he stole confidential medical data on 8 million Virginia residents

By Molly Merrill
11:00 AM

A Virginia government Web site was replaced last week with a ransom note from a hacker claiming he stole 8.3 million patients' personal and prescription drug information. The hacker says he wants $10 million for the safe return of the information.

The Virginia Prescription Monitoring Program's site tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees' personal information, such as names, social security numbers and addresses.

According to Wikileaks.org, an online clearinghouse for leaked documents, on April 30 the secure site for the Virginia Prescription Monitoring Program was replaced with the following ransom demand:

"Attention Virginia! I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password." (See sidebar for link to full note).

The hacker, who taunts the FBI and lists his own email address as "hackingforprofit@yahoo.com," claims the database of prescriptions has been bundled into an encrypted, password-protected file.

The Virginia Department of Health Professions Web site has been temporarily disabled and now features a notice saying the site is "experiencing technical difficulties which affect computer and email systems." According to the department's director, Sandra Whitley Ryals, the breach is under federal investigation.

Speculation has risen about whether or not the Virginia Department of Health Professions has back-ups of the patient database.

"It is possible that they do have back-up, but they fear the massive damage if patients data is used for identity theft," says Deborah C. Peel, MD, founder of Patient Privacy Rights.

"This is a lesson for all health systems," she says. "Providence hospital system spent $8-9 million fending off lawsuits for a breach... You have to prove you can be trusted, especially in the wake of a disaster. And why not announce the actions they are taking - more specifics about who is investigating and more details as they are known," she added. "Treat the public not as an enemy but as the ones that deserve to know, the ones who hired them in the first place to care for residents of the state."

Robert Coffield, a healthcare lawyer practicing at Flaherty, Sensabaugh & Bonasso, PLLC and author of the Health Care Law Blog, says often times you don't want to disclose too much information or it may compromise the investigation. Coffield points out that this could be a hoax.

"There is indication that this is a real situation but it is too early to speculate at this point what has occurred is truthful," he says. "We have to remember that this is a pretty technical and difficult process to go through."

The alleged breach has also caused questions about whether under the HIPAA privacy rule, the Virginia Department of Health Professions is required to notify individuals impacted by the breach.

Coffield says that it does not. "However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Handling these situations is very fact specific and depends upon a number of factors."
One such factor is if Virginia was the only state involved. "The Virginia Department of Health Professions will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law."

Nancy Glasheen of the Virginia Health Commissioner's Office said the office knew of the data breaches but that most of the department's resources have been devoted to managing issues surrounding swine flu. "Everyone right now is heavily involved in H1N1, so a lot of our senior management is unavailable," she said.

Virginia Gov. Tim Kaine's (D) press secretary, Gordon Hickey, said there would be no official statements from the Governor's office while the investigation is still open. When asked to comment on the potential effects the data hijacking could have on Virginia's citizens, Hickey said, "That's the whole point of the investigation - to find out what's going on."


Lock photo by jimaand obtained under Creative Commons license.