Brian Krebs, who writes the “Security Fix” blog for the Washington Post, has a report of a security breach in the Virginia Health Professions database associated with the Virginia Prescription Monitoring Program:
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site’s homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
The SANS Institute also has a brief article on this incident.
This is not the first attempt at extortion from a medical database provider, and it won’t be the last. There are a couple of things that are worth noting: this was not just a bogus threat, since the hackers managed to replace the “Front Page” of the VPMP Web site. They also claimed that they had deleted the site’s backups; if that is true, it is a truly horrendous breach of security.
A number of people have advocated introducing electronic medical records as a way to improve our broken health-care system. While bringing medical record-keeping into (at least) the 20th century would undoubtedly have benefits, I really hope that security is more than an afterthought.
Update, May 7
Bruce Schneier has another article on this incident in his blog.