Hacker Holds Virginia Patient Data Hostage
“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh
For $10 million, I will gladly send along the password.”
The hacked Virginia Prescription Monitoring Program site is used by pharmacists to track prescription drug abuse. Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, said a criminal investigation is underway.
They better find that hacker. The American Recovery and Reinvestment Act of 2009 signed into law in February included $19 billion for computerized medical records.
Via Brian Krebs at Security Fix, where the first commenter said:
The threat presented by hacking is the principal reason I’m against electronic medical records. The risk is just too big. Here’s one case where I think low tech is safer.
opinions powered by SendLove.to
9 Responses to “Hacker Holds Virginia Patient Data Hostage”
Hard to define safer. Safer against risk of large numbers of records being stolen? Privacy risks? Paper is certainly better. But how many people get bad medical treatment due to lack of knowledge since paper records are not easily accessible? How many of those die? Obviously, one has to weigh which risks are more important.
Plus, we all know once something is set on paper, it is functionally immortal and immune to any damage.
[...] Hacker Holds Virginia Patient Data Hostage | The Moderate Voice [...]
Way to late…
There isn't a single pharmacy chain that does not use computerized records to keep track of what drugs they sold and to whom and their isn't a single hospital that does not use computerized records to keep track of what drugs and procedures have been performed on you, and we won't even talk about all the the medical information insurance companies have about you.
The only person in the medical complex that does not use computers is the doctor who is writing his notes and diagnosis on a sheet of paper, once you leave the consultation room you start to create a electronic record of your medical history.
This is a prescription drug monitoring program, and the sheer volume would make paper records impractical. You have to be able to collate and cross-reference millions of prescriptions, something that would be impossible with paper records.
The problem isn't electronic records in this case, it's that the records were not adequately protected and backed up.
https://www.pmp.dhp.virginia.gov/pmpwebcenter/l…
I wonder if the site is secured by Bill Gates and the brilliant people at MS. Like the Coleman case and donors, somebody has 'some splainin to do” about security and offsite or multiple server backups.
You also have to remember that this was a state run program, which means it was likely being run from the state datacenter which undoubtedly hosts many other state applications. Just because this person used the Prescription Monitoring Program for his “ransom” doesn't mean that he/she actually hacked the prescription monitoring program or that the prescription monitoring program data was the only data that he/she was able to access. Putting many unrelated programs together the way large organizations such as government entities do without any kind of physical or often even logical security separation is a recipe for disaster. A hacker can find their way in through a seemingly benign program that has no worthwhile information to steal and find a goldmine once they are in. It's time government started using tech people with real tech education and experience and hold them reliable for doing due diligence in protecting data. Periodic security audits by external firms with no stake in the outcome sure wouldn't be a bad idea either.
Interesting point, nartcotechy. Of course, this means the government will need to be able to pay those techies something close to what they are worth on the open market, which very likely means 6 figures. Not disagreeing, just saying there's a cost.
[...] Hacker Holds Virginia Patient Data Hostage [...]