Individual letters sent about hacked prescription files

About 531,000 people who had records in a state agency's hacked prescription-monitoring database will receive letters this week advising them to keep close watch on their credit record.

The Virginia Department of Health Professions issued similar advice last month after the hacking of the Internet-accessed database surfaced April 30 but now is notifying people individually to take precautions.

The letters, which started going out yesterday, include a telephone number for people to call if they have questions and contact information for the credit-reporting agencies such as Equifax and TransUnion. A call center was being set up to handle calls.

"Although the investigation has yet to determine what, if any, personal information is at risk, DHP nonetheless recommends that persons remain vigilant over the next 12 to 14 months," said Sandra Whitley Ryals, Virginia Department of Health Professions director, in a statement.

"While there are over 35 million prescription records in the . . . database, only the 530,000 individuals whose prescription records may have contained Social Security numbers will receive the direct mailing," she said.

The letters are going to people who had a nine-digit number in a patient identification field in the database. That number may or may not have been a Social Security number -- officials do not know.

An additional 1,400 people, such as doctors and pharmacists who may have provided Social Security numbers when they registered for program access, also are being sent individual letters.

The Prescription Monitoring Program database was created several years ago as a way for health-care providers to detect people who might be going from doctor to doctor getting prescriptions for controlled medications that sometimes are abused as street drugs.

Pharmacists and prescribers had access to the database, which include records on people prescribed controlled drugs such as OxyContin, Ritalin and Xanax that are subject to additional oversight because of potential for abuse or addiction.

The hacking came to light when a message popped up April 30 on some computers at the agency, which has offices in western Henrico County, that demanded a $10 million ransom.

The department took down all of its computer servers for a while, but most now are operational. The Prescription Monitoring Program database, however, remains offline.

Virginia State Police and the FBI are continuing the investigation, which is taking longer than the two weeks that state officials had predicted. The hacker claimed that the database's original files had been deleted and a backup copy locked. For the ransom, the hacker would send along the password to unlock the file.

The Department of Health Professions said yesterday that all data were backed up and that there is nothing to indicate files beyond the monitoring program were involved.

FBI Richmond office spokesman M.A. Myers said the two-week estimate for the investigation probably was given in good faith.

"The thing is with these types of investigations involving cybercrime, we have to send out requests to Internet service providers, and we are kind of really depending on them to get back to us in a timely manner," Myers said.

"If the person used several different Internet service providers, then at each interval we would have to do a reset and send out another subpoena or court order."

Contact Tammie Smith at (804) 649-6572 or .