Hacker Holding Health Records Hostage Demands Ransom
When users logged into the Virginia Prescription Monitoring Program (PMP) site April 30, they found a ransom note that also was posted on Wikileaks, a site that posts untraceable documents. The PMP has since disabled the link.
"I have your [expletive]!" read the note on the Wikileaks site. "In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh :( For $10 million, I will gladly send along the password."
Virginia set up the database in November 2007 after a spate of serious crimes primarily involving OxyContin made headlines, including a segment on "60 Minutes." The PMP was designed so that pharmacists can cross-reference prescriptions to see if a patient is issued multiple scripts for narcotics by different physicians.
The PMP extortionist warns that, "If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this [expletive] is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver's license #)."
This is not the first time and certainly won't be the last that hackers have broken into health information records and demanded money for the return of confidential records.
In November 2008, Express Scripts, one of the largest pharmacy benefit management companies in North America, fell victim to this practice that has been dubbed "cryptoviral extortion."
"A small number of its clients have received letters threatening to expose the personal information of its members," the company said in a letter on its Web site. "The threats are believed to be connected to an extortion threat the company made public last week."
Those letters included personal information such as Social Security numbers, dates of birth and, in some cases, prescription information, the company said.
Express Scripts said it first received a letter the previous month that threatened to publicly expose millions of the company's members' records if an extortion threat was not met. The original letter included the personal data of 75 Express Scripts members.
The company is working with the FBI, and has posted a $1 million reward for the arrest and conviction of whoever is responsible for the breach. Express Scripts also said it would offer its members free identity restoration services from Kroll, a New York-based risk-consulting and global data security firm, if they become victims of identity theft because of the hacker.
Express Scripts said that it is not aware of any actual misuse of its members' data.