Hackers seek payment after break-in on state health care site

Share this article:
Hackers are demanding $10 million to release some eight million patient records claimed to be in their control following the compromise of Virginia's Prescription Monitoring Program (VPMP) website.

Whistleblower site Wikileaks published a copy of the ransom note left by the hackers on the website, which is used by pharmacists to follow incidents of drug abuse. The note said the intruders possessed 8.3 million patient records and 35.6 million prescriptions. Also, the thieves said they created an encrypted backup of the data and deleted the original files.

"For $10 million, I will gladly send along the password," the note said.

Sandra Whitley Ryals, director of the Virginia Department of Health Professions, who is handling press inquiries, did not return a message seeking comment on Tuesday. The VPMP website remains inaccessible, but the ransom note has been taken down.

Security experts said the hack underscores the lack of security many organizations delegate to the web.

"If this all is correct, it indicates that several layers of protection failed at the VPMP," Sans Internet Storm Center handler Bojan Zdrnja wrote Tuesday on the organization's blog. "Without knowing more, we can't say if the web application was good or bad...but one thing that should never happen is [the] ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to back up the data or read it. Only the backup administrator should be able to delete the backups."

Mary Landesman, senior security researcher at web security firm ScanSafe, said companies increasingly are making it convenient for their employees to work remotely by making data accessible via the web. But this often serves as an invitation to criminals, who can launch attacks, such as SQL injection, to gain access to web server database contents.

She said health care records, in particular, shouldn't be reachable through the internet.

"It's just too risky," she told SCMagazineUS.com on Tuesday. "When you're talking about patient data, integrity of data is paramount. It frankly shouldn't be allowed anymore."

This is the second high-profile cyberextortion incident in the past six months. Late last year, pharmacy benefits management firm, Express Scripts, offered a $1 million reward for information leading to the conviction of the peerson who threatened to divulge the personal information of millions of its members. An FBI investigation continues in that case.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.