Hard Questions in Wake of Reputed Va. Health Data Theft

By Anita Kumar
Washington Post Staff Writer
Wednesday, May 13, 2009

RICHMOND, May 12 -- Legislators had sharp questions for state officials Tuesday about how hackers stole millions of personal pharmaceutical records from a prescription drug database that was supposed to be secure.

"It doesn't sound like the proper firewalls, the proper backing up, the proper security measures were in place at the time,'' said Del. Joe T. May (R-Loudoun), who chairs the Joint Commission on Technology and Science. "The question is . . . why weren't they?''

The pointed questions came at a House Appropriations Committee meeting almost two weeks after hackers claimed to have taken 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program. The hackers then attempted to blackmail the state, threatening to sell the data if they did not receive $10 million last week.

Pat Paquette, technology director for the Department of Health Professions, defended the agency and its security measures.

"Those things were in place, have always been in place,'' she told the lawmakers.

The state has a multimillion-dollar contract with Northrop Grumman to update its computers to include better security, she said. The upgrades at the Department of Health Professions are expected to be completed in August.

The FBI, along with the U.S. attorney's office and Virginia State Police, are conducting an investigation into the alleged theft.

"It's like looking for a needle in a haystack, but they do have the ability to find the needle and they will,'' said Marilyn Tavenner, secretary of health and human resources.

It's unclear whether the hackers followed through on their threat -- the deadline for the state to pay up passed last week. Tavenner said the state has yet to verify that the hackers actually succeeded in stealing patient records, as they have claimed. If the theft is real, it would be among the most serious cybercrimes the state has ever faced.

"I don't think this is the last time we are going to see something like this happening,'' Del. L. Scott Lingamfelter (R-Prince William) said. "I have some question as to whether there is a comprehensive approach to cyber security in the commonwealth.''

Lingamfelter, who suggested that the hackers could be cyber-terrorists, called for a "top-down review." Other legislators and privacy advocates are questioning whether the database is needed in the first place.

The database was designed to help doctors and pharmacies track powerful narcotics and painkillers to reduce the abuse, theft and illegal sale of the controlled substances sold under labels that include OxyContin and Vicodin.

CONTINUED     1        >

© 2009 The Washington Post Company