HACKER CLAIM: I STOLE MILLIONS OF PRESCRIPTON RECORDS
May 07, 2009
(NATIONAL) -- A week after a hacker claimed to have stolen millions of sensitive patient records from a Virginia Web site that tracks prescription drug use, Virginia state officials say they don’t know for sure whether their data base was compromised.
State officials did confirm yesterday that an unauthorized message was posted on the Prescription Monitoring Program Web site last Thursday. They said the message was a ransom note claiming that the entire database - containing more than 35 million prescription records - had been stolen by a hacker who claimed to have deleted the original database and created an encrypted backup copy.
“For $10 million, I will gladly send along the password,” the message read. “You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid.”
The hacker included an e-mail address with the user name “hacking for profit.”
The FBI and the State Police are investigating. The web site, operated by the state Department of Health Professions, has been shut down since last week for security reasons.
The Prescription Monitoring Program collects information about every prescription for certain federally controlled drugs dispensed by Virginia pharmacies. The list includes drugs with a high risk of abuse, such as morphine, OxyContin and Ritalin.
The database was set up as a pilot program in southwestern Virginia in 2003 and expanded statewide in 2006. Its purpose is to combat drug abuse by allowing health professionals to track prescriptions. Access to the database is restricted to about 2,500 registered users, mostly doctors and pharmacists.
State officials say the database contained 31.3 million prescription records as of January 1st and about 1 million records are added per month, which would tend to lend credibility to the hacker’s claim to have obtained more than 35 million prescription records.
The records contain the recipient’s name, address and date of birth, the name and quantity of the drug prescribed, the date, and identifying numbers for the prescriber and dispenser.