Hackers Say They Have Va. Prescription Drug Data, Demand $10 Million

By Brian Krebs and Anita Kumar
Washington Post Staff Writers
Friday, May 8, 2009

RICHMOND, May 7 -- The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom by Thursday for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database.

The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program.

"This was an intentional criminal act against the commonwealth by somebody who was trying to harm others," Gov. Timothy M. Kaine (D) said. "There are breaches that happen by accident or glitches that you try to work out. It's difficult to foil every criminal that may want to do something against you."

Although the hackers had threatened to sell the data if they did not receive payment by Thursday, the deadline passed with no immediate sign that they followed through.

State officials say it is unclear whether the hackers were able to view the patient records, as they have claimed. If the theft is real, it would be the most serious cybercrime the state has faced in recent history.

Sandra Whitley Ryals, director of Virginia's Department of Health Professions, declined to discuss details of the hackers' claims and referred inquiries to the FBI.

A spokesman for the FBI would neither confirm nor deny that the agency might be investigating.

State officials learned April 30 that hackers had replaced the site's home page with a ransom note demanding the payment in exchange for a password needed to retrieve the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.

"For $10 million, I will gladly send along the password," the ransom note read. "You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid."

The program's computer system has been shut down since last week's breach, but all data were backed up and those files have been secured, Whitley Ryals said. Virginians are still able to get prescriptions filled.

"We do have some of the systems restored, but we're being very careful in working with experts and authorities to take essential steps as we proceed forward," she said.

The state-run database helps doctors and pharmacies track powerful narcotics and painkillers to reduce the abuse, theft and illegal sale of the controlled substances sold under labels including OxyContin and Vicodin. It was set up as a pilot program in southwestern Virginia in 2003 and went statewide in 2006. About 2,500 health-care professionals have access to the data.

Emily Wingfield, chief deputy director of the Department of Health Professions, said the database contained 31.3 million prescription records as of Jan. 1. About 1 million records are added every month, she said.

State officials say they have no evidence that any personal information is at risk, but they recommend that anyone concerned about possible identity theft keep track of personal financial statements and periodically review credit reports.

© 2009 The Washington Post Company