Virginia Dept. of Health: Database breached, not deleted
The Virginia agency in charge of an online medical-prescription database used by pharmacists and law enforcement to prevent drug abuse in the state Thursday acknowledged a data breach of it may have occurred but refuted the notion the database had been wiped out by the unknown attacker.
The Virginia Department of Health Professions is the state agency which operates the Virginia Prescription Monitoring Program, which makes available online a database of patient records and prescriptions with the intent of preventing abuse of controlled substances.
Media reports, based on information first made available by WikiLeaks, a Web site tracking information security breaches, this Monday cited a message from a hacker who claimed to have seized the database contents of over 8 million patient records and 35.5 million prescriptions, locked it into a encrypted, password-protected file, and deleted the backups, while demanding US$10 million to return the records.
In a statement issued Thursday, the agency acknowledged that "an unauthorized message was posted on the Prescription Monitoring Program website," but refuted the notion that the entire database had somehow been wiped out by an attacker
"We are satisfied that all data was properly backed up and that these backup files have been secured," said Sandra Whitley Ryals, director of the Virginia Dept. of Health Professions (DHP) in a statement. The agency is declining to discuss the matter further at this point, adding a criminal investigation is underway and the agency expects to be able to comment further in a few days, including through statements available at www.dhp.virginia.gov.
The Virginia Prescription Monitoring Program was shut down its online access to records for the present.
The program, started in 2003, established an online database that was given Internet access about two years ago, with help from a $400,000 grant as well as a legal settlement with Purdue Pharma, convicted of overpromoting the painkiller OxyContin.
Pharmacies and other dispensers of pharmaceuticals licensed by the Virginia Board of Pharmacy at DHP must report to the PHP twice a month on covered substances given to recipients, including the individual's name and address, date of birth, sometimes a Social Security Number, and other information about the medications, including number of re-fills. Individuals over the age of 18 may receive the information stored about them in the database, according to DHP.
The DHP said it is "not aware of any evidence indicating any personal information may be at risk," but urged those whose information may be in the database to "remain vigilant over the next 12 to 24 months," to be on guard against identity theft, especially as regards financial statements.
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
data breach
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
