Tuesday, May 5, 2009

Security: Over 8 million patient records held for ransom in Virginia

According to Wikileaks, hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals.

The ransom note claims that the backups have "gone missing" (and makes a reference to the Coen brothers movie Burn after reading)

I find it kind of hard to believe that the backups were destroyed. Best practices say to have off site, secure backups (preferably in a different geographic region). This would be hard to compromise, even if it's an inside job.

The Economist had a special report on electronic health records a couple of weeks ago that argued an intelligent network was needed to share (and secure) health information. It looks like the report was timely.


  1. here is the note:


    I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

    For $10 million, I will gladly send along the password.

  2. 10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?