Virginia Prescription Monitoring Program Website Info Held for Ransom


A story first reported on Wikileaks and today on Brian Kreb's security blog at the Washington Post that the state of Virginia's Prescription Monitoring Program website "was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file."

The Prescription Monitoring Program collects information on prescriptions dispensed across the state and provides prescriber education. The website is used by pharmacists and state officials to track prescription drug abuse.

According to the story, a hacker claims to have copied and then deleted 8,257,378 patient records and a total of 35,548,087 prescriptions, including back-ups. The hacker is said to have posted a ransom note on the site saying that he would be willing to return the information for $10 million.

Virginia state officials and law enforcement are remaining mum about the situation, and the Prescription Monitoring Program website is unavailable.

How the hacker was able to get into the site as well as get to back-up tapes will prove to be very interesting and potentially embarrassing to the state. Whether it will also prove embarrassing to Aneesh Paul Chopra, Viriginia's CTO and new Obama Administration first CTO designate, will remain to be seen.

I wrote about a similar incident involving Express Scripts, which is still offering a $1 million reward for information on that extortion attempt.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City