Extortion investigated in health records case

State and federal authorities are investigating a possible extortion demand that seeks $10 million for the safe return of more than 8 million patient records and 35 million prescription records that allegedly were hacked last week from the Virginia Department of Health Professions computers.

An extortion note posted on WikiLeaks, a Web site that publishes anonymous submissions and leaks of sensitive government and corporate information, reads:

"ATTENTION VIRGINIA I have your [stuff]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note demands $10 million within seven days, but it does not say from what date the count began. Hackers apparently infiltrated the health professions' computers last Thursday.

M.A. Myers, a spokesman for the FBI's Richmond office, confirmed late yesterday that an investigation has begun. He said the FBI received a referral from the Virginia Information Technologies Agency.

Corinne Geller, a state police spokeswoman, confirmed that state investigators are assisting the FBI.

Last Thursday, all 36 computer servers storing the state agency's records were shut down after a message popped up on some computers that made them believe the system was being hacked.

A redirected Web site yesterday informed users that the department was experiencing technical difficulties.

The authenticity of the demand note was in question, but two sources familiar with the letter confirmed that it is being investigated, along with the disruption to the computer servers.

"I am aware of that information being out on the Internet," Health Professions Director Sandra Whitley Ryals said of the ransom note. "However, a criminal investigation is under way, so I am not able to speak to the details."

She added: "We take information security very seriously and are taking all the essential precautionary steps."

The ransom-note writer said if the money isn't paid in seven days, "I'll go ahead and put this baby out on the market and accept the highest bid."

If the prescription data can't be sold, the writer says, then "at the very least I can find a buyer for the personal data" -- which the note says includes names, ages and Social Security numbers.

The writer provided a Yahoo Mail address to contact.

The Virginia Department of Health Professions maintains licensing information on doctors, nurses and other health care practitioners in the state. Ryals said they were still able to license practitioners and investigate disciplinary cases.

Ryals said she did not know when the complete site will be up and running:

"We have folks who have been working literally around the clock since the system was shut down on Thursday."

Contact Mark Bowes at (804) 649-6450 or .

Contact Tammie Smith at (804) 649-6572 or .