May 6th, 2009
A hacker replaced a Virginia government Web site last week with a ransom note claiming he’d stolen 8.3 million patients’ personal and prescription drug information and wants $10 million for its return.
The Virginia Prescription Monitoring Program’s secure site tracks drug abuse and contains 35.5 million prescriptions along with enrollees’ personal information such as names, social security numbers, and addresses. The hacker claims to have encrypted it with a password and deleted the commonwealth’s back-ups. The Web site has been temporarily disabled and there is speculation as to whether the commonwealth has a back-up of the data.
Read more at http://www.healthcareitnews.com/news/hacker-says-he-stole-confidential-medical-data-8-million-virginia-residents
Tags: Breach of PHI, Commonwealth of Virginia, Hacker, PHI, Ransom, Virginia
Doesn’t bode well for HITECH’s requirement for EMRs!
This is exactly what scares me with the government having a central computer system.
This does not surprise me at all that the incompetent government IT workers can’t secure data. At least this time it was not due to a worker carrying around a laptop with unencrypted personal info on it http://www.rd.com/your-america-inspiring-people-and-stories/government-loses-private-citizen-records/article84863.html .
I do not hold any IT certifications but have worked with computers, networking, and backups mostly teaching myself for the last 17yrs.
It is beyond belief how they could have lost all the backups at my practice we have daily backups stored on the server another one on a SANs drive, weekly backups to a tape drive and monthly backups to a remote server. So if the database was deleted we could restore it without any loss. Even if the building with the server burnt down we would only lose up to a month of data.
Now on to the protection of data I wish that large entitys like banks, telcos, and government were held accountable for negligence in securing the personal data.
It would not have been hard to create a two part database the first with a unique identifier linked to the second database (db). The second db would be encrypted with a two part encryption one for the actual bd and a different one for communication to and from bd1 to bd2. This would never expose the encryption key.
On top of that by setting up a small low power server and setting the firewall to list that computer as a DMZ so that any incoming connection to a port not for normal web communications would be sent to the dummy computer that only has access to its self.
Sorry for the rant but what can be expected from the government who hires IT groups that offer the lowest contract price and quality of service. Thats why KY Medicaid and Medicare accounting can’t even figure out that if they pay $100 then ask for $75 back and later ask for the full $100 again that they have been paid for a doctor providing a service.
Unfortunetly, these mishaps are how we learn, behind the 8ball instead of being proactive and in front of it.
I happened to be listed in the the above mentioned laptop computer taken from a state employee’s office, no where ever to be found, 2 years later I still can’t apply for credit anywhere without it being blocked, credit checks are halted, humm, try buying a new car!
I live in Virginia and find this pretty scary! When will we be told if this affects us or not??? Does this affect everyone that gets a prescription in Virginia or only those with controlled prescriptions??? Identity theft is becoming a bigger and bigger problem and for a government agency to not have more security is pretty scary!!
Has any one, or does any one even know if what the hacker said is true, or can they not even figure that one out..
This also begs the question – security with databases that utilize satellite technology. Signals are piggybacked on a regular basis – until these issues are adequately addressed – mandatory electronic medical records are definitely at risk
I would say this would be true. That database is still down as of today.
Email Address (will not be published) (required)
Attention: AAPC does not regularly monitor comments posted here. For customer service issues, contact us. In addition, we recommend posting your questions to the AAPC forums.
© Copyright 2013, AAPC