Virginia Governor Won't Pay Hackers' $10 Million Ransom
Gov. Timothy Kaine told The Washington Post Thursday that the state will not acquiesce to the hackers' demands for $10 million in exchange for millions of patients' pharmaceutical records. "This was an intentional criminal act against the commonwealth by somebody who was trying to harm others," Kaine said.
The FBI and the Virginia State Police are continuing to investigate hackers' claims that they deleted and stole more than 8 million patient records and more than 35 million prescription records from the Prescription Monitoring Program Web site before demanding $10 million in exchange for a password that would allegedly retrieve them from an encrypted file.
The hackers threatened to sell the data to the highest bidder if the demand wasn't fulfilled within seven days of the heist. However, the deadline has come and gone with no indication thus far that the hackers followed through on their threat.
Sandra Whitley Ryals, director of Virginia Department of Health Professions (DHP), the government agency which oversees the PMP site, did not discuss details of the prescription data theft in a written statement but said that the agency was working "very closely and cooperatively with federal and state law enforcement to resolve the situation."
"A criminal investigation is currently under way regarding potential security breach of the Virginia Department of Health Professions Prescription Monitoring Program on Thursday, April 30. While DHP cannot comment directly on an ongoing investigation, we can assure the public that all precautions are being taken for DHP operations to continue safely and securely," Ryals said.
The prescription drug extortion scheme, posted Tuesday on the anonymous information leak forum Wikileaks.org, was made public April 30 after hackers defaced the PMP site with a ransom note, which threatened to expose the data if the $10 million demand was not met.
"You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid," the hackers wrote.
In their note, the hackers claimed that they also deleted the state's backup copies of the pharmaceutical prescription information. Ryals maintained that although the DHP's computer systems have been shut down since last week, all of the stolen data was backed up and secure.
Ryals said that the DHP's Web site and e-mail systems have been shut down since the April 30 hack to "protect the security of the program data," but said that all of the alleged lost data was backed up and the systems have been secured.
State officials say that they are uncertain whether the hackers' claims are true. If the claims are real, the theft would constitute one of the most serious cybercrime incidents the state has faced, according to The Post.
Security experts say that the Virginia prescription drug hack will likely underscore the need to comprehensively secure extremely sensitive data, such as health-care records, as Congress and other industries push to make them available online.
"There's not enough due diligence," said Paul Ferguson, advanced threat researcher for Trend Micro. "There are some very clever and unscrupulous people out there who find ways to get access to this stuff."
The PMP was launched in 2003 as a state-run database that collects pharmaceutical prescription information with the aim of tracking and preventing illegal sales, abuse and theft of controlled prescription drugs such as OxyContin and Vicodin. The information is made available only to registered health-care professionals, including licensed pharmacists, but does not collect or maintain medical patient histories.