In recent days, visitors to the Virginia Department of Health Professions' Web site have been greeted with a note explaining that the agency "is currently experiencing technical difficulties." It's a bit of an understatement.
On April 30, a hacker posted a taunting message on the site, claiming to have stolen prescription records. The records are part of a supposedly secure database set up for access by doctors and pharmacists to thwart the abuse of controlled substances such as OxyContin, Vicodin, Xanax and Ambien. The hacker's message included a $10 million ransom demand.
State officials aren't providing many details about the attack, which remains under investigation. The Web site contains links to a news release about a "potential security breach" and a Q&A for consumers outlining what sort of information the database contains.
According to the department, it's unlikely that the info - if it really is in the possession of a hacker - could be used to steal the identities of consumers. But some pharmacists may have used customers' Social Security numbers to enter data, so Virginians are being advised to monitor bank accounts and credit reports.
Marilyn B. Tavenner, the state's secretary of health and human resources, told a legislative committee this week that the state still has the information on the database - contrary to what the hacker's message claimed.
This much is clear: An intrusion occurred. State officials need to follow through, swiftly, on Gov. Timothy M. Kaine's pledge to tighten security, not only at this department's site but at other agencies'. The protective measures should include further restrictions on the use of Social Security numbers in databases for identification when other means are available.
Several dozen states besides Virginia operate prescription databases, along with other limited-access sites that contain sensitive information.
In addition, the Obama administration is pushing for widespread computerization and linkage of medical records. The main goals - improving the quality of care and reducing administrative costs - are worthy, but the Virginia experience shows the project carries inherent risks.
A Luddite response - scrapping a move toward greater use of electronic records - isn't wise. But government agencies need to ensure that a full-scale rollout of a national health information network doesn't occur until security measures are in place and a rapid response team is ready to go after intruders. "Technical difficulties" need to be addressed through preventive steps, not after the illness has spread.
Delicious
Digg
Reddit
Facebook
Google
Yahoo
Ummm..
just what does it take to 'qualify' for a govt job?
Seems like some merchants
Seems like some merchants also had their customers' credit card data bases hacked. This is OK with you while the government is supposed to be foolproof? I've noticed for years that those who criticize the government the most are the ones who tried and failed to qualify for a government job. Sour grapes. So, you are not as smart as you think you are.
The problem is not the
The problem is not the hackers. The problem is that the database is there in the first place.
Just I expect out of a government agency
For all of you who want universal government run health care, just remember these are the type of people who will run the program.
Hmm..
If a govt entity at any level cannot ensure the security of my medica; records, what other aspect of medical care might they not be able to guarantee? And a govt that might deny health care based on age and/or severity, all due the costs involved, and is spending money like there's no tomorrow with dubious results, wants to take over the entire industry? Geezz, where is the editorial statesmanship needed here?