'Hacker' threatens to expose health data, demands $10M
Hoax or the real thing? Virginia health agency Web site shut down but investigators mum
Computerworld - Days after a hacker claimed to have broken into a database and encrypted millions of prescription records at the Virginia Department of Health Professions, it remains unclear what happened.
Whistleblower Web site Wikileaks.org last Sunday carried a report from an anonymous poster who said that the secure site for the Virginia DHP Prescription Monitoring Program (PMP) had been broken into by a hacker who made a $10 million ransom demand.
The alleged ransom note posted on the PMP site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data.
"Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh," the hacker is supposed to have said in his note, a copy of which was available on Wikileaks. "For $10 million, I will gladly send along the password," for decrypting the data, the supposed hacker wrote.
The expletive-laden note goes on to say that authorities have seven days to decide if they will "pony up" the money. If the ransom is not paid, "I'll go ahead and put this baby out on the market and accept the highest bid," the note says.
The hacker admits that while he is unsure about the worth of the data or who would want it, "I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data," the hacker said pointing to the fact that the data included patients' names, ages, addresses, Social Security and driver's license numbers.
A call seeking comment on the incident from the Virginia PMP program office was not immediately returned. A call to the Virginia State Police department seeking confirmation on whether it is investigating the reported incident also was not immediately returned.
As of today, the main PMP Web site and all links on the site were unavailable.
The PMP was set up in the wake of a spate of drug-abuse-related crimes and some deaths in the state involving the painkiller Oxycontin. It allows pharmacists and health care professionals to track prescription drug abuse, such as incidents of patients who go "doctor-shopping" to find more than one doctor to prescribe narcotics. According to a description of the program from a cached version of the site, there were more than 31.6 million records in the PMP database as of Jan. 1. Doctors, pharmacists and other authorized users make requests for data from the PMP database via a secure Web page, the description said.
The Richmond Times-Dispatch reported Tuesday that the FBI and State Police had confirmed investigations of a hacking incident at the PMP. The story also quoted Virginia Gov. Timothy Kaine as saying the compromised data was not the same as patient files from doctors' offices. "These were not patient records, so it's not compromise of health-care information about particular individuals," the governor is quoted as saying in the Times-Dispatch.
The compromise comes at a time of heightened concerns about the privacy and security of medical data. President Barack Obama's recently passed economic stimulus package includes a health care component that initially provides $20 billion for the creation of a national health records system. The bill mandates new privacy and security controls for health care data that are seen as being long overdue.
The controls go beyond those mandated under HIPAA (the Health Insurance Portability and Accountability Act) and are expected to be more strictly enforced than HIPAA rules have been.
The breach at the Virginia health agency highlights the "overall lack of compliance" with HIPAA within the health care sector, said Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas.
"HIPAA by and large has been ignored, not because it is unimportant, but because of a lack of will to really [enforce] it," MacKoul said. "Much like all other regulations, if there is no real enforcement, this type of thing will continue to happen over and over again."
The reported incident in Virginia is identical to one reported by Express Scripts, a St. Louis-based prescription drug management company in October. The company said it received an extortion letter from data thieves who threatened to release millions of patient records if the company did not pay up.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts