The FBI and Virginia State Police are investigating the potential breach of more than 8 million patient’s medical prescription records after a hacker broke into a commonwealth Web site and posted a ransom note demanding $10 million for the data’s safe return.
Officials at the Department of Health Professions, which oversees the potentially breached Prescription Monitoring Program, skirted questions about the hacker’s claims Tuesday.
When asked whether millions of Virginians should be worried whether data regarding what prescription medications they take is secure, department Director Sandra Whitley Ryals told The Examiner: “We have no confirmation that the information is anything but safe,” and declined to comment further, citing the ongoing criminal investigation.
The monitoring program is a statewide database of prescriptions for federally controlled pharmaceuticals. It’s designed to prevent patients from obtaining multiple prescriptions from different doctors for the same medication.
People concerned about their information in the database can call 804-367-4566, but Ryals said they would only be told the department was “unable to provide details” because of the criminal investigation.
The ransom note appeared on the Prescription Monitoring Program’s Web site Thursday and read: “In my possession, right now, are 8,257,378 records and a total of 35,548,087 prescriptions. … Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁 for $10 million, I will gladly send along the password.”
Computer experts said it could be possible for a hacker to gain access to such a database, but that likelihood would depend on how the interface between pharmacists and the database works. If pharmacists load information directly into the Web site, it’s an easy target, said Lillie Coney, associate director of the Electronic Privacy Information Center.
Officials would not comment on the database’s structure.
Ryals said after discovering the breach Thursday, the department shut down its Web site and e-mail programs, and immediately notified law enforcement. Some of those services have been restored, but the monitoring program’s Web site is still down.
The FBI and state police said they were investigating the note, its origins and the disruptions caused by Thursday’s breach, but also declined to say whether files were actually stolen.
Coney said if the breach occurred and the $10 million ransom was paid, there is no guarantee the victims would be safe.
“If these hackers are extorting the state,” she said, “there’s nothing to stop them from extorting individuals.”
