Web site aimed at fighting illegal prescriptions gets hacked

Hackers last week attacked a Virginia state website that pharmacists use to track prescription drug abuse. The hackers deleted the information of more than 8 million patients and replaced the site's homepage with a ransom note demanding US$10 million.

The ransom note on the Virginia Department of Health Professions website read:

"I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," Sandra Whitley Ryals, director of Virginia's Department of Health Professions told The Washington Post.

The database that was hacked is the state's prescription monitoring program, which helps pharmacists monitor and prevent illegal prescription activity, such as prescription forgery and "doctor shopping," where one patient might be visiting different doctors and pharmacies to obtain certain prescribed drugs. Virginia is one 32 states to maintain such a database.

The investigation is being handled by the Federal Bureau of Investigation.

"At this point we're not commenting on the progress of the case but we're working in conjunction with the Virginia State Police," M.A. Myers, a spokesperson for the FBI told The Industry Standard.

Nearly a week after the hack, the site remains down and a message on the homepage simply states, "The Virginia Department of Health Professions is currently experiencing technical difficulties which affect computer and email systems. We apologize for any inconvenience this may cause."

Several months ago, The Standard reported on an electronic health record security breach at a Los Angeles hospital, where a former employee was accessing information and filing false insurance claims. And in October of last year, a prescription drug management company, Express Scripts, was sent a ransom note that threatened the release of millions of patient records.