The Virginian-Pilot
©
The possible breach of a state electronic prescription drug database could have an ironic effect: promotion of prescription drug fraud and abuse, the very thing the system was set up to deter.
That suggestion came from outside experts Thursday as the FBI and State Police continued investigating last week's unauthorized intrusion on the Web site of the Virginia Prescription Monitoring Program.
According to WikiLeaks, an open-government Web site, the intruder was a hacker claiming to have gained access to more than 35 million prescription records and demanding a $10 million ransom.
The statewide database was established in 2006 to combat prescription drug abuse, which is increasingly recognized as a national public health issue. Overdose deaths from prescription drugs now exceed those from illegal drugs.
The database contains records of every prescription dispensed by Virginia pharmacies of certain drugs with a high potential for abuse, such as OxyContin, Vicodin and Ambien. Until it was shut down in the wake of the hacker attack, the system allowed doctors and pharmacists to track those prescriptions and watch for patterns of abuse.
If the database is now in the hands of a hacker, Virginians whose prescription records were stolen are "at risk of medical identity theft," said Rob Douglas, editor of the Web site www.IdentityTheft.info.
The records include the patient's name, address and date of birth, the name and quantity of the drug prescribed, and identifying numbers for the prescriber and dispenser.
"With that information, it is plausible that a medical identity thief could contact the pharmacist and initiate a refill of that medication," Douglas said. "These are highly sought-after drugs, easily converted to cash on the street in sales to addicts.
"If I were the state, I would be very concerned that their system has now been compromised."
In addition, he said, individual Virginians have reason for concern. If their records are used for illicit refills, he said, it could make it difficult for them to get legitimate refills.
Douglas advised people who suspect their records are vulnerable to contact their doctor, pharmacist and insurance carrier and ask them to note in their records that there is a potential for prescription fraud.
Kathy Siddall, a spokeswoman for the state Department of Health Professions, which maintains the prescription database, declined to speculate on the scenario laid out by Douglas, noting that the state doesn't yet know for sure that the database was breached.
If the investigation determines that there was a breach, Gov. Timothy M. Kaine said Wednesday, then all Virginians affected will be notified.
On Wednesday, when state officials made their first official statement about the incident, they said it is unlikely the information in the database could be used to commit identity theft for financial purposes, because it doesn't contain Social Security numbers. However, they suggested that people covered by the database "remain vigilant" for the next year or two, checking their bank accounts and credit reports for signs of trouble.
Brian Wolfinger, vice president of LDiscovery, a digital forensics consulting firm, said Virginians should view the hacking incident as a wake-up call to the potential for identity theft.
Noting that everyone is entitled to one free credit report every year from one of the national credit reporting bureaus, Wolfinger said, "This is a great time to exercise that right and take stock of your current level of exposure."
Electronic prescription monitoring programs have been established in 38 states. The Virginia program had a $452,000 budget last year, funded primarily by a federal grant and a $20 million share of a 2007 court settlement by Purdue Pharma, the maker of OxyContin, for misleading the public about the painkiller's risk of addiction.
Siddall said she knows of no assessment of the program's effectiveness in curbing drug abuse.
The hacking incident has had repercussions beyond Virginia. Last week the Florida legislature passed a bill authorizing a prescription monitoring program similar to Virginia's.
A group of legislators sent a letter Thursday to Gov. Charlie Crist urging him to veto it, citing the Virginia incident.
During floor debate on the bill, proponents "assured us that there had never been a breach," state Rep. Carl Domino, one of the dissenters, said in an interview.
"We certainly don't want to subject the citizens of Florida to the agony that I'm sure some people in Virginia are feeling tonight."
Bill Sizemore, (757) 446-2276, bill.sizemore@pilotonline.com
Delicious
Digg
Reddit
Facebook
Twitter
Google
Yahoo
Unfortunate
It's too bad that a security measure designed to reduce a major social problem is being abused by the greedy. Vista Bay Rehab reviews numbers of reasons why people enter drug rehab and these types of regulations are making a difference.
Pittbull
Oh I think I know my facts. I am in the IT profession. These records can be hacked into. Please pray tell why and what else the EMR/EMT would need SSN's for. I refuse to give mine. There is absolutely no reason for it. The fact is that since you are in the medical profession, you don't have the facts about IT. How many more times do we have to have laptop computers stolen from Veteran Affairs with this info on. Stick with your EMR and your pittbull. I am right on this one.
Yep...
Yeppers folks, I feel oh-so much better when I think of the govt handling all aspects of health care!
Just the tip of the iceberg (or tidal wave)
As inept as "government" is at just about everything but war, what should the citizens expect? If you expect a system that is top-of-the-line, super-secure, and without problems, you're living in a dreamworld.
You DO get a system built by the lowest bidder out of the least expensive (but thoroughly overpriced) components, and then you hire a group of nitwits that can't get a decent job in the private sector to run it. Yeah, I feel safe that the "state" can protect my records better than a private or for-profit entity.
Taking that a step further, and as another poster noted, part of the Obama Deception on socialized healthcare (yeah, I know they like to call it "affordable care" or some other equally lame garbage) is that this will be a national problem with Big-Brother a key-stroke away from all your personal medical information. Think they won't use that data for less noble purposes?
Think again sheep!
What a crock - and by the way - this comment vetted by TASS
The VP reporting on this is too pathetic to be funny. Talk about supporting the government line. How could this not pose a real and direct threat for the patients that are in the database. Name, address, and birth date. Break-ins, going through your trash, and next you have identity theft, personal violation of your personal property or worse, and your medications cut off.
I know the VP wants to cover for the democratic governor and his administration but this really showcases the contempt the VP has for citizens of this state.
Medical indentity theft?
The medical profession uses the SSN for more then just identification. Know your facts before you start talking about conspiracy theories...the medical profession is out there to help you not hinder you or your identity. And as for EMR you have no idea what it takes to keep your stuff straight. EMR will help people not get drugs they aren't supposed to and other things as well..As I said before know your facts...
Just pay the ransom
Just pay the 10 million. Of course, the money should come from all, ALL, the people and agencies at all levels who have any involvement at with this fiasco, from top to bottom. It's high time that people are held personally accountable for their actions. If they accept the responsibility for collectiing and storing my data, then they are obligated to maintain it's security. They have broken this trust, so they should pay to recover the data.
Another downturn...
So I guess their not worried about some druggie/criminal perhaps learning of these peoples' names, addresses, and drugs...down to the dosage and quantity...and setting out to rob/burglarize these peoples' homes? This list is akin to a list of people who keep cash in their home...and now the names, addresses, and the amount of cash they keep is out there for who knows to find out.
Medical Identity Theft
If you think this is bad, just wait until congress, backed by the Obama administration has ALL of your medical records converted electronically. This will include names, birth dates, SSN, surgeries, hospital stays. Identity theft is bad enough as it is. The medical profession needs to do away with using SSN's along with medical records or any records for that matter. They should be used ONLY for employment, tax records, and retirement. Since every institution wants a person's SSN, and your identity gets stolen, you have no way to prove who sold you out or who is responsible. If I had my way, I would have it at all. It is merely a prison number as far as I am concerned.
It's going to get worse folks. Next it will be the mark of the beast. The rice chip in your hand.
What a mess
If this datasbasse is so important, and contains any PII about a person, it should have had the highest of security, to keep these things from happening, yes hackers are always trying to breach security, and that is why the state should have worked harder to prevent this. I can't understand why security was not tighter, I work in IT, and in the healthcare insurance business, and I know it is top priority to protect a persons PII and PIH information. The state apparently is lax in that area, so now all the people on that database are open to possible exposure, something that should not have happened. What a mess!!!