State and federal authorities said very little yesterday about a hacker's claim that millions of patient prescription records kept on Virginia Department of Health Professions computers have been stolen.
The FBI and the Virginia State Police have confirmed that an investigation is under way.
But what is not clear is whether a hacker has been able to access a database with patient Social Security and driver's license numbers as claimed in an extortion letter allegedly from the hacker.
In the letter, posted on WikiLeaks, a Web site that tracks information security breaches, the hacker asks for $10 million.
A state police spokeswoman yesterday would say only that the investigation was ongoing.
The health professions department, which licenses health-care providers, shut down its computer servers Thursday when a message popped up on some computers implying the system was being hacked.
Yesterday, the department's Web site had limited functionality with few working links. Instead, there was a list of telephone numbers for people to call to reach the various health-professions licensing boards.
When asked about the matter and the vulnerability of electronic health records, Virginia Gov. Timothy M. Kaine said: "These are not like patient files from doctors' offices that are being rummaged through. That's not what they are."
The hacker claims to have stolen records from the department's Prescription Monitoring Program, which tracks patients' prescriptions for narcotics and other controlled substances.
The program was created several years ago in response to a spike in drug-abuse-related crime and deaths in Southwest Virginia. Patients were going to multiple doctors to get prescriptions for narcotics such as OxyContin, a powerful painkiller valuable to cancer-pain management but abused on the street by addicts.
Doctors and pharmacists submit records to the monitoring database and can query it to check whether a patient has had a similar prescription filled recently.
The hacker said the original files were deleted and that the backup was encrypted and altered so it can be opened only with a password the hacker knows.
"This information was protected, but people get innovative and they figure out ways around the protections that are in place, and that means we've got to always be diligent and try to find new strategies to keep people from getting information that's sensitive," Kaine said.
"These were not patient records, so it's not compromise of health-care information about particular individuals," the governor said.
"I don't want to say too much about it. But there's no way we can get to a better health-care future where we can control costs and maximize quality without having better electronic records. We have to be able to do that. But, there's security challenges just as there are security challenges in any line of work, and we've got to get to the bottom of how this happened and make sure that anybody who did anything improper is caught and prosecuted."
An information security expert who reviewed the extortion letter said it could be a prank, but without knowing how the database was maintained, he could not rule out a security breach.
Typically, backup files would not be kept on the same server as the original, he said, so there still should be a backup file.
Contact Tammie Smith at (804) 649-6572 or TLsmith@timesdispatch.com.
Contact Jim Nolan at (804) 649-6061 or jnolan@timesdispatch.com.
Email
Facebook
Google
Twitter
Favorites
More
Advertisement