Virginia Health Database Hacked

May 5, 2009

Brian Krebs, who writes the “Security Fix” blog for the Washington Post, has a report of a security breach in the Virginia Health Professions database associated with the Virginia Prescription Monitoring Program:

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site’s homepage with a ransom note demanding $10 million for the return of the records, according to a posting on, an online clearinghouse for leaked documents.

The SANS Institute also has a brief article on this incident.

This is not the first attempt at extortion from a medical database provider, and it won’t be the last.  There are a couple of things that are worth noting: this was not just a bogus threat, since the hackers managed to replace the   “Front Page” of the VPMP Web site.  They also claimed that they had deleted the site’s backups; if that is true, it is a truly horrendous breach of security.

A number of people have advocated introducing electronic medical records as a way to improve our broken health-care system.  While bringing medical record-keeping into (at least) the 20th century would undoubtedly have benefits, I really hope that security is more than an afterthought.

Update, May 7

Bruce Schneier has another article on this incident in his blog.

%d bloggers like this: