A computer hacker wants $10 million for the return of more than 8 million patient records and 35.5 million prescriptions taken recently from a secure Web site for the Virginia Prescription Monitoring Program, reported the Web site Wikileaks.
Wikileaks says the hacker left a ransom note on the VPMP Web site which read: "I have your [stuff]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The VPMP Web site is used by pharmacists and other health officials to monitor prescription drug abuse. Virginia Department of Health Professions Director Sandra Whitley Ryals released a statement on Thursday confirming a criminal investigation is underway regarding the security breach.
"While DHP cannot comment directly on an ongoing investigation, we can assure the public that all precautions are being taken for DHP operations to continue safely and securely," she said.
Since DHP recognized the unauthorized message posed on the Web site, Ryals said, her department has been working closely with federal and state law enforcement. The DHP system has been shut down for the past week to "protect the security of the program data," she said.
"We are satisfied that all data was properly backed up and that these backup files have been secured," she said.
Ryals added that her office will share additional details in the coming days on the agency’s Web site.
M.A. Myers, media coordinator for the FBI field office in Richmond, VA, told HealthLeaders Media Tuesday, "In conjunction with the Virginia State Police, we are looking into the incident, but we aren't making any further comment beyond that. Unless there is a reason for us to have media attention, we generally don't comment on pending cases."
In October 2008, hackers accessed millions of electronic patient files held by Express Scripts Inc. and threatened to expose the records unless the drug benefits company paid a ransom. Scripts, the nation’s third-largest drug benefits manager, posted a $1 million reward for help catching the culprits, who remain at large.