Virginia Dept. of Health: Database breached, not deleted
The Virginia agency in charge of an online medical-prescription database used by pharmacists and law enforcement to prevent drug abuse in the state Thursday acknowledged a data breach of it may have occurred but refuted the notion the database had been wiped out by the unknown attacker.
The Virginia Department of Health Professions is the state agency which operates the Virginia Prescription Monitoring Program, which makes available online a database of patient records and prescriptions with the intent of preventing abuse of controlled substances.
Media reports, based on information first made available by WikiLeaks, a Web site tracking information security breaches, this Monday cited a message from a hacker who claimed to have seized the database contents of over 8 million patient records and 35.5 million prescriptions, locked it into a encrypted, password-protected file, and deleted the backups, while demanding US$10 million to return the records.
In a statement issued Thursday, the agency acknowledged that "an unauthorized message was posted on the Prescription Monitoring Program website," but refuted the notion that the entire database had somehow been wiped out by an attacker
"We are satisfied that all data was properly backed up and that these backup files have been secured," said Sandra Whitley Ryals, director of the Virginia Dept. of Health Professions (DHP) in a statement. The agency is declining to discuss the matter further at this point, adding a criminal investigation is underway and the agency expects to be able to comment further in a few days, including through statements available at www.dhp.virginia.gov.
The Virginia Prescription Monitoring Program was shut down its online access to records for the present.
The program, started in 2003, established an online database that was given Internet access about two years ago, with help from a $400,000 grant as well as a legal settlement with Purdue Pharma, convicted of overpromoting the painkiller OxyContin.
Pharmacies and other dispensers of pharmaceuticals licensed by the Virginia Board of Pharmacy at DHP must report to the PHP twice a month on covered substances given to recipients, including the individual's name and address, date of birth, sometimes a Social Security Number, and other information about the medications, including number of re-fills. Individuals over the age of 18 may receive the information stored about them in the database, according to DHP.
The DHP said it is "not aware of any evidence indicating any personal information may be at risk," but urged those whose information may be in the database to "remain vigilant over the next 12 to 24 months," to be on guard against identity theft, especially as regards financial statements.
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
data breach
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
