FBI Investigates Hackers' $10 Million Ransom Demand

Sandra Ryals, director of the Department of Health Professions, which oversees the prescription-drug-information database, said in a statement that the agency is doing everything it can to ensure the security of its sensitive health information. Ryals also said that the department's Web site and e-mail systems have been shut down since last April 30, but that all lifted data was backed up and the files were secure.

Altogether the hackers infiltrated the Virginia prescription-drug database, then deleted more than 8 million patient records and more than 35 million prescriptions before posting an online ransom note demanding $10 million for their return.

The FBI is currently investigating a report that hackers infiltrated the Web site of the Virginia Prescription Monitoring Program, which contains information used by pharmacists to track prescription-drug abuse and theft, in order to delete and steal millions of patient and prescription records, according to The Washington Post.

In the extortion scheme, first discovered Tuesday on wikileaks.org, an anonymous online information leak forum, hackers defaced the Virginia Prescription Monitoring Program Web site with a ransom note that demanded $10 million in exchange for a password that would unlock tens of millions of deleted patient records and prescriptions. The hackers also said that they eliminated the state's backup records on the PMP site and then encrypted the backup data in a password protected file.

"I have your ***! In my possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh (For $10 million, I will gladly send along the password."

The hackers threatened that if the government agency didn't respond within a week, the patient information would be auctioned off to the highest bidder.

Virginia DHP's Ryals declined to comment specifically on the stolen records to the newspaper's Security Fix blog Tuesday, but maintained that the intrusions were discovered April 30. In response to the hack, the DHP subsequently shut down dozens of its Web pages, including the PMP site, and discontinued e-mail to and from the department pending the outcome of a security audit, Ryals said. A banner advisory on the VDHP Web site warned users that the site was "currently experiencing technical difficulties which affect computer and e-mail systems." Links to the PMP Web site were also disconnected from wikileaks.org and were currently inaccessible at the time of writing.

"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," she said.

The Virginia PMP extortion incident is the second to occur within the last year. Express Scripts, a pharmacy prescription processor, offered a $1 million bounty in November for information leading to the arrest of hackers who threatened to expose millions of stolen patient medical records if the company failed to pay a demanded ransom.

Security experts say that the recent Virginia Prescription Monitoring Program hack represents a major threat for the health-care industry, which is currently undergoing an overhaul to digitize patient records and make them available on the Web.

"This is a major fear," said Paul Ferguson, advanced threat researcher for Trend Micro. "We're rushing so quickly to put electronic health records online, we weren't doing the right things to make sure they're secure."

Ferguson said both of these medical extortion incidents should be a wake-up call for health-care and other industries for imminent security threats, while possibly enhancing security infrastructure to address those problems.

"This issue has come up on several types of electronic sensitive data issues in the past few weeks. It's not just electronic health-care records, it's not just credit-card payment processors. It's the entire landscape," Ferguson said. "Hopefully, if there's any good that comes out of it, it raises the specter of unscrupulous people gaining access to records that are very sensitive and very private."