May 07, 2009, 4:44 PM — The Virginia agency in charge of an online medical-prescription database used by pharmacists and law enforcement to prevent drug abuse in the state Thursday acknowledged a data breach of it may have occurred but refuted the notion the database had been wiped out by the unknown attacker.
The Virginia Department of Health Professions is the state agency which operates the Virginia Prescription Monitoring Program, which makes available online a database of patient records and prescriptions with the intent of preventing abuse of controlled substances.
Media reports, based on information first made available by WikiLeaks, a Web site tracking information security breaches, this Monday cited a message from a hacker who claimed to have seized the database contents of over 8 million patient records and 35.5 million prescriptions, locked it into a encrypted, password-protected file, and deleted the backups, while demanding US$10 million to return the records.
In a statement issued Thursday, the agency acknowledged that "an unauthorized message was posted on the Prescription Monitoring Program website," but refuted the notion that the entire database had somehow been wiped out by an attacker
"We are satisfied that all data was properly backed up and that these backup files have been secured," said Sandra Whitley Ryals, director of the Virginia Dept. of Health Professions (DHP) in a statement. The agency is declining to discuss the matter further at this point, adding a criminal investigation is underway and the agency expects to be able to comment further in a few days, including through statements available at www.dhp.virginia.gov.
The Virginia Prescription Monitoring Program was shut down its online access to records for the present.
The program, started in 2003, established an online database that was given Internet access about two years ago, with help from a $400,000 grant as well as a legal settlement with Purdue Pharma, convicted of overpromoting the painkiller OxyContin.
Pharmacies and other dispensers of pharmaceuticals licensed by the Virginia Board of Pharmacy at DHP must report to the PHP twice a month on covered substances given to recipients, including the individual's name and address, date of birth, sometimes a Social Security Number, and other information about the medications, including number of re-fills. Individuals over the age of 18 may receive the information stored about them in the database, according to DHP.
The DHP said it is "not aware of any evidence indicating any personal information may be at risk," but urged those whose information may be in the database to "remain vigilant over the next 12 to 24 months," to be on guard against identity theft, especially as regards financial statements.
