State database hacker unknown a year later

A year after a computer hacker breached Virginia's statewide prescription drug database, investigators still don't know who did it.

Computer functions at the state Department of Health Professions, which runs the program, were disabled for weeks as a result of the April 30, 2009, cyberattack. The hacker claimed to have stolen more than 35 million prescription records and demanded a $10 million ransom.

A criminal investigation by the FBI and State Police remains open, but the perpetrator has not been identified, Diane Powers, a department spokeswoman, said Thursday. There is no evidence of identity theft or other misuse of patient records, she added.

The system's security measures have been beefed up and it is functioning normally, Powers said.

"All security upgrades possible for a system of this kind have been implemented," she said.

In the wake of the attack, the state mailed notices to 530,000 people whose prescription records may have contained Social Security numbers, alerting them to the potential for identity theft.

Social Security numbers have since been scrubbed from the system, Powers said.

The Prescription Monitoring Program collects information about every prescription for certain federally controlled drugs dispensed by Virginia pharmacies. The list includes drugs with a high risk of abuse, such as morphine, OxyContin and Ritalin.

The records contain the recipient's name, address and date of birth, the name and quantity of the drug prescribed, the date, and identifying numbers for the prescriber and dispenser.

The purpose of the program is to combat drug abuse by allowing health professionals to track prescriptions. Access to the database is restricted to about 2,500 registered users, mostly doctors and pharmacists.

About 1 million prescriptions are added to the database every month.

The security of the records is an ongoing concern, Powers said: "We can never really let our guard down."

Bill Sizemore, (757) 446-2276, bill.sizemore@pilotonline.com