Web site offline as police, FBI investigate $10M extortion bid

Computerworld - A week after a hacker claimed to have broken into a patient database and encrypted millions of prescription records at a Virginia health agency, its Web site remains offline except for a static Web page offering contact information.

Meanwhile, a statement released yesterday from the Virginia Department of Health Professions (DHP) said that all the data has been backed up and that the backup files have been secured.

A DHP spokeswoman said today that the decision to keep the agency's Web site offline was an effort to remain cautious while the state police and the FBI investigate the incident. The DHP is carrying on with all of its normal licensing and regulatory activities, but none of its online services are available, the spokeswoman said.

"Our Web applications will remain noninteractive until it is determined by experts both criminal and IT that it is completely safe for us to bring it back up," she said.

The agency disabled the Web site last Thursday after an alleged hacker posted a note claiming to have broken into the secure site for the Virginia DHP's Prescription Monitoring Program (PMP).

The note claimed the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions from a PMP database and then deleted the original data. The hacker sought a $10 million ransom for the password to decrypt the data.

"Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh," the hacker is supposed to have said in his note, a copy of which was available on whistleblower site Wikileaks.org which was first to report the incident last Sunday. The note gave DHP officials one week to "pony up" the ransom. If it failed to do so, the hacker threatened to sell the data, which includes names, addresses and Social Security numbers, to the highest bidder.

After initially keeping mum about the incident, Virginia DHP Director Sandra Ryals late yesterday issued a statement (download PDF) confirming a criminal investigation "regarding a potential security breach" of the PMP database. The statement said the agency could not publicly disclose details of the incident because of the ongoing investigation. It also said all the has been "properly backed up and that these backup files have been secured."

"The entire DHP system has been shut down since Thursday to protect the security of the program data," the statement said.

The PMP was set up as a way for pharmacists and health care professionals to track prescription drug abuse, such as incidents of patients who go "doctor-shopping" to find more than one doctor to prescribe narcotics. According to a description of the program from a cached version of the site, there were more than 31.6 million records in the PMP database as of Jan. 1. Doctors, pharmacists and other authorized users make requests for data from the PMP database via a secure Web page, the description said.

A spokeswoman from the Virginia State Police today confirmed that it is investigating the reported breach along with the FBI. According to the spokeswoman, the state police were contacted by the DHP last Thursday.

"We immediately initiated an investigation into the allegations made in the extortion letter and any potential intrusions into the department's servers right way," she said. She would not comment further because the investigation is ongoing.

Read more about security in Computerworld's Security Knowledge Center.