Julian Walker
The Virginian-Pilot
©
A week after a hacker claimed to have stolen sensitive patient information from a Virginia Web site that tracks prescription drug use, state officials say they don’t know whether the information was compromised.
Officials confirmed Wednesday that an unauthorized message was posted on the Prescription Monitoring Program Web site last Thursday. According to WikiLeaks, an open-government Web site, the message was a ransom note claiming that the entire database, containing more than 35 million prescription records, had been stolen by a hacker.
The hacker claimed to have deleted the original database and created an encrypted backup copy.
“For $10 million, I will gladly send along the password,” the message read. “You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid.”
The hacker included an e-mail address with the user name “hackingforprofit.”
The FBI and the State Police are investigating. The Web site, operated by the state Department of Health Professions, has been shut down since last week for security reasons.
The Prescription Monitoring Program collects information about every prescription for certain federally controlled drugs dispensed by Virginia pharmacies. The list includes drugs with a high risk of abuse, such as morphine, OxyContin and Ritalin.
The database was set up as a pilot program in southwestern Virginia in 2003 and expanded statewide in 2006. Its purpose is to combat drug abuse by allowing health professionals to track prescriptions.
Access to the database is restricted to about 2,500 registered users, mostly doctors and pharmacists.
Emily Wingfield, chief deputy director of the Department of Health Professions, said the database contained 31.3 million prescription records as of Jan. 1 and about 1 million records are added every month. That lends some credibility to the hacker’s claim to have obtained more than 35 million prescription records.
Less credible, however, was a threat to disseminate personal data from the records such as Social Security and driver’s license numbers. That kind of information is not included in the database, nor is information about patients’ medical history.
The records contain the recipient’s name, address and date of birth, the name and quantity of the drug prescribed, the date, and identifying numbers for the prescriber and dispenser.
Sandra Whitley Ryals, director of the Department of Health Professions, said she was satisfied that all the data were properly backed up and that the backup files are secure.
Gov. Timothy M. Kaine said that if it is determined that Virginians’ personal information has been compromised, those affected will be notified. The notification may not be immediate, he added, because he doesn’t want to do anything to inhibit the investigation.
“This was an intentional criminal act against the commonwealth by somebody who was trying to harm others,” Kaine said. “Right now, our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted.”
Maintaining the security of data held by the state is a daily challenge, said Peggy Ward, Virginia’s chief information security officer.
“We keep building better controls, and criminals keep finding ways of getting around them,” she said. “Then we build better controls and they do it again.”
From July 2007 to September 2008, state officials reported 93 “information security incidents.” Of those, 30 were classified as the use of malicious software to modify or obtain state information.
Officials said it is unlikely that information from the prescription database could be used for identity theft.
Nevertheless, they recommended that Virginians covered by the database “remain vigilant” for the next year or two, checking their bank accounts and credit reports for signs that their information is being misused.
The most likely danger is public embarrassment, said Jay Levine, a pharmacist at Atrium Pharmacy in Norfolk.
“The people who should be worried are politicians and people like that who don’t want information getting out about what drugs they’re on,” he said.
Bill Sizemore, (757) 446-2276, bill.sizemore@pilotonline.com
Julian Walker, (804) 697-1564, julian.walker@pilotonline.com
Delicious
Digg
Reddit
Facebook
Twitter
Google
Yahoo
computer security
Looks like another VITA/NG issue again. This partnership has wasted more tax money than is known. And now they cannot even provide basic computer security to guard the publics information. This added to the sorry equipment that we are issued, the networks that were slowed down from 1000 KBPS to 100 KBPS, the lack of and sorry tech support, and uncarrying attitude of state officials all make this worse. I hope that someone finds a way to sue VITA/NG if their information is used. Instead of paying the ransom, VITA/NG should offer the hacker a job. He is obviously better than their employees. Our agency just lost two good computer techs because VITA/NG made their job impossible. They could not even answer a simple question from us without having to create a trouble ticket so that we could be charged for it. Focus more on the computer issue here than the fact that the list exist.
Sounds like a long overdue program to me.
While it is unfortunate that the security of the database may have been compromised, I think this program is great! Doctors prescribe painkillers left and right, but there is nowhere to turn if you become addicted. I know many patients (my husband included) who have become addicted and began doctor shopping when their primary doctor was clueless about detox. Doctors have become legal drug dealers for many patients whether they are aware or not. A program like this holds doctors responsible for over-prescribing medications as well as gives them the knowledge they need to identify an addict. I hope this program is expanded to the national level!
Drug users
It would only be embarrassing if you didn't actually need the drugs you take. Everybody uses some type of drugs these days. Some of us just choose ones that grow naturally from mother earth.
Stolen Prescription Records
Not a good thing to read about...
This didn't register...
"database “remain vigilant” for the next year or two, checking their bank accounts and credit reports for signs that their information is being misused"
This, to me, means anyone who's had any type of pain prescription filled in this State. For all I know it may be every prescription we have filled.
Furthermore, the more I think about this database the angrier I become. What right has some agency got collecting our personal perscription data. If they want to know what we get from our docs they can ask.
Just wait until obumbler enacts government healthcare. Instead of insurance companies telling people what they can and cannot have there'll be inept government bean counters telling us.
I had read the story....Have you?
Per my understanding of the story: The hacker claims to have copied the database to her/his computer and deleted the original and the back-up from the DHP's system.
So did she/he do it or not?
Also: Can the Citizens of the Commonwealth file a class action HIPPA lawsuit against DHP? Obviously this sensititive Protected Health Information was not properly safeguarded. Lets get some gainful employment for those lawyers who have fallen on tough times.
This Guy
This guy must be pretty clever to be able to not get caught!!
thecommentdepot.com
Imagine an employer going on
Imagine an employer going on line and looking at an applicants pharmacy record. Is the person being treated for depression, do they have a heart condition are the arthritic? It is easy to determine from what medications you are taking what your medical history is. With the push towards electronic medical records and the push to transfer data to different points the risk of this happening again is great.
What would happen if a hacker got into a medical data base with malicious intent. Changing medical orders or prescritions or altering medical histories. This is a very serious issue.
really people? really?
lets put away the tinfoil hats for a minute and take a moment. PII risks are serious, but we don't know if the data has been compromised. we also don't know what exactly that data might be if it was. there is a plethora of information online about reducing your risk of 'identity theft'. your biggest risk would come from your own trash can. until the random threat and extortion from the internet is substantiated its not time to circle the wagons.
Additions to the list (part 2)
(Sorry - my previous post was truncated - here is the rest)
Or, how about the Virginian-Pilot reporters who end an article on such an important topic with such an insulting comment. As a long-term-subscriber, I recommend they ought to worry about that.
By the way, one concrete piece of information that could be helpful would be a list of ALL medications included in the database. That way, if a patient sees their med on the list, they can begin to take steps to protect (what's left of) their privacy without waiting for those affected to "be notified eventually".