The director of the Virginia agency that oversees the state's prescription-drug information said Wednesday that the FBI is now investigating an extortion incident in which hackers allegedly deleted 8 million patient records and demanded a $10 million ransom in return.
Sandra Ryals, director of the Department of Health Professions, which oversees the prescription-drug-information database, said in a statement that the agency is doing everything it can to ensure the security of its sensitive health information. Ryals also said that the department's Web site and e-mail systems have been shut down since last April 30, but that all lifted data was backed up and the files were secure.
Altogether the hackers infiltrated the Virginia prescription-drug database, then deleted more than 8 million patient records and more than 35 million prescriptions before posting an online ransom note demanding $10 million for their return.
The FBI is currently investigating a report that hackers infiltrated the Web site of the Virginia Prescription Monitoring Program, which contains information used by pharmacists to track prescription-drug abuse and theft, in order to delete and steal millions of patient and prescription records, according to The Washington Post.
In the extortion scheme, first discovered Tuesday on wikileaks.org, an anonymous online information leak forum, hackers defaced the Virginia Prescription Monitoring Program Web site with a ransom note that demanded $10 million in exchange for a password that would unlock tens of millions of deleted patient records and prescriptions. The hackers also said that they eliminated the state's backup records on the PMP site and then encrypted the backup data in a password protected file.
"I have your ***! In my possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh (For $10 million, I will gladly send along the password."
The hackers threatened that if the government agency didn't respond within a week, the patient information would be auctioned off to the highest bidder.
Virginia DHP's Ryals declined to comment specifically on the stolen records to the newspaper's Security Fix blog Tuesday, but maintained that the intrusions were discovered April 30. In response to the hack, the DHP subsequently shut down dozens of its Web pages, including the PMP site, and discontinued e-mail to and from the department pending the outcome of a security audit, Ryals said. A banner advisory on the VDHP Web site warned users that the site was "currently experiencing technical difficulties which affect computer and e-mail systems." Links to the PMP Web site were also disconnected from wikileaks.org and were currently inaccessible at the time of writing.
"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," she said.
The Virginia PMP extortion incident is the second to occur within the last year. Express Scripts, a pharmacy prescription processor, offered a $1 million bounty in November for information leading to the arrest of hackers who threatened to expose millions of stolen patient medical records if the company failed to pay a demanded ransom.
Security experts say that the recent Virginia Prescription Monitoring Program hack represents a major threat for the health-care industry, which is currently undergoing an overhaul to digitize patient records and make them available on the Web.
"This is a major fear," said Paul Ferguson, advanced threat researcher for Trend Micro. "We're rushing so quickly to put electronic health records online, we weren't doing the right things to make sure they're secure."
Ferguson said both of these medical extortion incidents should be a wake-up call for health-care and other industries for imminent security threats, while possibly enhancing security infrastructure to address those problems.
"This issue has come up on several types of electronic sensitive data issues in the past few weeks. It's not just electronic health-care records, it's not just credit-card payment processors. It's the entire landscape," Ferguson said. "Hopefully, if there's any good that comes out of it, it raises the specter of unscrupulous people gaining access to records that are very sensitive and very private."
|
Symantec's Code Red: Anonymous Member's E-Mails With Law Enforcement Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
