Known: a hacker gained access to the Virginia Prescription Monitoring Program and then asked for a ransom of $10 million. According to The Virginian-Pilot, the following is also known:
The database contains records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse, such as OxyContin, Vicodin and Xanax.
The records include patients' name, address and date of birth, the name and quantity of the drug prescribed, and identifying numbers for the doctor and pharmacist.
What is unknown, is if the hacker gained access to the customer’s social security numbers which were placed along side many of the customer’s pharmacy records. Throw in 1,400 or so doctors and pharmacists that entered their social security numbers and you have the potential for a real mess.
Also, unknown is if the database was encrypted. The hacker stated that he had copied the database and deleted the commonwealth’s backups of the database although Virginia claims to still have access to its backups
One thing is for certain, some administrator is hating their life right now while they have to explain why 530,000 patients must now watch their credit report and bank accounts more diligently than ever.
Finally, there is the irony where the Roanoke Times reports that:
…lawmakers were told that the VDHP ranked in the top 5 percent of state agencies in an audit of information security.
Not the most confidence-inspiring statement the state could make.
Databases are ultimately one of the great prizes for hackers. In one fell swoop they can acquire more data than if they stole 100,000 laptops. This is an excellent example why database security and encryption should be paramount for any organization that stores sensitive information. Way to learn one the hard way, Virginia.
Michael Mongold
Comments