Network News

X My Profile
View More Activity

Hackers Break Into Virginia Health Professions Database, Demand Ransom

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on, an online clearinghouse for leaked documents.

Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file.

Wikileaks has published a copy of the ransom note left in place of the PMP home page, a message that claims the state of Virginia would need to pay the demand in order to gain access to a password needed to unlock those records:

"I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

The site, along with a number of other Web pages related to Virginia Department of Health Professions, remains unreachable at this time. Sandra Whitley Ryals, director of Virginia's Department of Health Professions, declined to discuss details of the hacker's claims, and referred inquires to the FBI.

"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

"We do have some of systems restored, but we're being very careful in working with experts and authorities to take essential steps as we proceed forward," she said. "Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete."

She added that the department does have a page online at that lists the phone and fax numbers for various state health boards, and that the state would continue issuing health care licenses and investigating violations of the law or regulations of state health licensees.

This is the second major extortion attack related to the theft of health care data in the past year. In October 2008, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

By Brian Krebs  |  May 4, 2009; 6:39 PM ET
Categories:  Fraud , Latest Warnings , U.S. Government , Web Fraud 2.0  | Tags: defacement, extortion, hack, state of virginia  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Pushing Out IE8 Through Auto Update
Next: Safari, Opera Users Lag Behind in Security Updates


The threat presented by hacking is the principal reason I'm against electronic medical records. The risk is just too big. Here's one case where I think low tech is safer.

Posted by: WashingtonDame | May 4, 2009 7:11 PM | Report abuse

Uh, the crooks took the backup files, too?
The storage media for the backup should not have been connected to the network, except at the time of making a backup.

Posted by: observer31 | May 4, 2009 7:17 PM | Report abuse

Two weeks before BO appointed him, our governments CIO was running the DC IT Department, where his aides were printing and selling phony birth certificates and sucking in kickbacks. Now this is the guy who will scan all our medical records and make them available to millions of doctors, dentists, hospitals, nurses, pharmacists, insurance clerks, office staff, nosy doctor's wives, pharmacy techs etc.

What have we done?

Posted by: georgejones5 | May 4, 2009 7:34 PM | Report abuse

Mr. President

This is an excellent example of the incompetence in government IT executives. As pointed out by my fellow commentators your decision for the CIO position shows that you are not paying attention to the problem. If the CIO can not be held accountable for the actions of his/her subordinates then what his/her value? In the DC case the person employed in the Chief IT Security position was not only accused of criminal activity but also did not have any IT Security skills/experience. If these are the executives running government IT then no wonder everything is getting hacked.

Posted by: sotiris | May 5, 2009 7:43 AM | Report abuse

Wasn't there any security in place? Seems like someone wasn't doing their job.

Posted by: citigreg | May 5, 2009 8:15 AM | Report abuse

Which idiots ran security? Offer the their heads to extortionists.

Posted by: Garak | May 5, 2009 8:29 AM | Report abuse

The Wikileaks page shows the hacker left a return address:

Can this be traced? I assume Virginia can get a court order ASAP to force Yahoo to disclose all information on this account.

Posted by: Garak | May 5, 2009 8:35 AM | Report abuse

1) the state IT people are incompetent,
2) bureaucrats didn't allow IT to buy tape drives, or
3) the hacker is stupidly naive.

Any or all of the three are distinctly possible.

Posted by: ronljohnson | May 5, 2009 9:10 AM | Report abuse

First, it stated in the article that they were Restoring the services, which tells me they had backups. Second, I really hope the Federal Government stays out of this. They would be far worse than VA State.

Being that I am in the field, I find it hilarious the number of cracking attempts made on my home servers. And just to Clarify, hackers are not bad, they are the people who find flaws in the software to provide fixes. Crackers do the same, but want to use that information to exploit other systems.

I am sure everyone will continue to call them hackers, but that is just a annoying thing for me.

Posted by: hbcapsfan | May 5, 2009 9:48 AM | Report abuse

Security Breach in Va's networks - but not the only one, Folks:
This just happens to be one that made the news. Nobody is interested in the the DMV/DSS security breach that generates income for DMV, and the state, by DSS employees triggering the driving STATUS data field from "licensed" to "suspended" on people whose cases dcse workers manage.
They have about 145,000 cases, and just over the past couple of years have changed records on at least 32,000 people WITHOUT sending the legally required Notice of Intent to let people know their records are being changed. A lot of these people, find out when they get Arrested for driving on a suspended, after being pulled over for a minor traffic violation or alleged violation. Then, the DMV (who has abrogated their authority to control the driving statuses to DSS) charges a Re-Instatement Fee in violation of 63.2-1937 to the Victims DSS has changed the driving status on.This is a money maker for DMV - so they aren't interested in "who" has access to their network - and since DSS and DMV are sharing network resources via a private/public contract with Northrup Grumman - could care less about the lives that are being tampered with.When did your protected property RIGHT to travel become a "privilege"? When DMV was created to provide "more Jobs"...STATE JOBS. And since "the state" isn't run like a legitimate business, it finds ways to fund itself by taking the RIGHTS of it's citizens and granting the Citizens a 'privilige' in return for a Fee.
The media will not report on this, because, we the masses, need to be kept under control. The Attorney General and Governor of Va. won't do anything, because they are Politicians who do NOT uphold their Constitutional Oaths of Office.
ASK YOURSELF - WHY WOULD WE WANT TO ALLOW A SOCIAL SERVICES WORKER TO HAVE THE ABILITY TO CONTROL OUR CITIZENS RIGHT TO TRAVEL? WHAT IS THE UNDERLYING REASON FOR THIS? Do you really believe it's about collecting alleged child support 'debt'? (85% of all non custodial parents already PAY every month, even at the risk of losing their own housing simply out of fear of jail and FEAR of Social Services workers)

Posted by: marshamaines | May 5, 2009 10:07 AM | Report abuse

What web-server and o/s was being used? I give two-to-one that it was IIS and Windoze. The state of Virginia should demand that M$oft pay the ransom.

Posted by: hairguy01 | May 5, 2009 10:13 AM | Report abuse

In fairness this is almost certainly more a problem with the application developers being lazy and leaving a security whole open through one of the applications on the site.

Also management shares blame because I doubt the allocated any resources to test the application's security prior to going live with it.

Posted by: bosconet | May 5, 2009 10:22 AM | Report abuse

marshamaines -- why don't you drop me a line, at brian dot krebs at washingtonpost dot com


Posted by: BTKrebs | May 5, 2009 10:23 AM | Report abuse

This is BS. What does it take to protect data? Morons!

Posted by: adrienne_najjar | May 5, 2009 10:48 AM | Report abuse

WTF! I don't want my personal data stolen!

Posted by: bacara | May 5, 2009 10:59 AM | Report abuse

Maybe they should spend more time chasing real criminal and less time tracking what drugs people are taking.

Posted by: jdr99 | May 5, 2009 11:06 AM | Report abuse

Yeah, what happened to the backups? That doesn't make any sense.

Posted by: g99999 | May 5, 2009 11:18 AM | Report abuse

You're going to see a steady stream of these types of major compromises as long as nothing less serious gets any type of attention.

If we dealt with hijacked computers the way we deal with flu cases -- setting up a system to identify them, report them, and either disinfect them or isolate them from the rest of the internet -- we would have removed a lot of the profit motive from disseminating malware. And we would make it practical for system administrators to block access from a finite number of problem IP ranges, greatly reducing the risk of attacks. As it is, the cracker in this case could have gained access through any one of hundreds of thousands of hijacked computers, even from an infection on one of their own employees' workstations.

Last year, I found a server in another state that was hosting their family services department (i.e., the department dealing with families of abused children) and also hosting a spamvertised pharma site. It took an inordinate number of emails and phone calls to get anyone to take it seriously and finally shut down the open port. There should be systems in place to allow these issues to be reported and handled urgently, rather than making volunteers trying to report infections have to to negotiate spam filters that block any emails mentioning the very servers we're trying to report.

Posted by: AlphaCentauri | May 5, 2009 11:31 AM | Report abuse

@ those who have commented on the back-ups being affected by the hacker:

It is only the word of the hacker that the VA DHP back-ups were impacted. Neither Brian Krebs reporting nor the article's sources specifically address the database backups, only that some systems are in the process of being restored.

It would be a very sad state of affairs if the DHP did not have an off-site back-up process in-place or, at the very least, back-up media that is disconnected / removed from network devices on a frequent basis.

At this point, we-the-readers are left guessing at what the extortionist was truly able to accomplish as well as the true state of the DHP's IT infrastructure.

Posted by: CB12 | May 5, 2009 11:58 AM | Report abuse

The attacker who hit's forum erased three separate backups, then accessed the main database via a backup server to erase that, too. And that forum is run by people who ought to have known what they were doing.

Posted by: AlphaCentauri | May 5, 2009 12:11 PM | Report abuse

Assuming that this is more than just somebody defacing a Website (annoying but not dangerous), either the Virginia IT folks are staggeringly incompetent or this was an inside job.

AlphaCentauri -- the problem with tracking computer breakins like flu cases is that the data gets lost in a mess of finger pointing, arse covering, and general not- my- faultism. You'd get the same effect with flu cases if the flu victim and his manager both lost their jobs.

Cases like this that I've heard of in the private sector have resulted in the extortionist being quietly paid off. I'd imagine that the Virginia Prescription Monitoring Program would have a great deal of trouble hiding a $10M payoff to an extortionist.

Posted by: sgsguru | May 5, 2009 12:19 PM | Report abuse

We should thank the hackers for deleting the medical records. There is no reason for the government to have this private data, just because someone bought sudafed.

A ransom note? That's funny. Do they accept paypal or mastercard? :)

Posted by: win_harrington | May 5, 2009 2:22 PM | Report abuse


Posted by: timscanlon | May 5, 2009 3:16 PM | Report abuse

it's probably due to my childish love for stories like '1984', 'the matrix', 'v for vendetta', 'turk182', 'revenge of the nerds', 'wargames', 'hackers', 'erin brokavich', 'thank you for smoking'... this story made me smile and laugh. the concept of hacking for profit reminds me of the whistleblower stories i've been hearing all of my life, starting with 'silkwood'. this particular hacker i don't believe is actually motivated by money. i think this story (and perhaps the hacker too) is brutally sending a message, not only about internet security and our dependence on computers and technology, and about government surveillance and control. or not.

Posted by: docrivs | May 5, 2009 4:57 PM | Report abuse

Incredible incompetence from an IT standpoint and equally ridiculous data collection all focused on prescription drugs. Gotta get those bad guys, you know. I hope it's never retrieved and gone forever. It should HIPPA protected information, only available through subpoena or upon authorization by the patient. Why the pass on this?

Posted by: patryot | May 5, 2009 5:36 PM | Report abuse

Plenty of money for Starbucks (or Dunkin' Donuts coffee), nothing for IT security. What else is new?

Who accredited this system? It wan't anybody from the "Mouse Factory," aka Disney.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | May 5, 2009 6:50 PM | Report abuse

If you believe that electronic records are a problem, then I insist you read "Critical Condition" by Donald Bartlett and James Steele. You will see that medical records even on paper are kept in danger by hospitals and clinics. The solution is peer to peer computing, don't use cloud computing, they are too big of a target. If you held all of your info on a thumb drive and it was used by your doctor and updated, and kept in your possession this would solve the problem. You could also keep a copy on your computer at home, should you lose your thumb drive.

Posted by: wallasongs | May 5, 2009 7:52 PM | Report abuse

adrienne_najjar said, "This is BS. What does it take to protect data? Morons!"

They aren't morons. Morons could have protected the site better.

What will happen is this. Users of Virginia's computer and network resources will have even more time wasting, ineffective so-called "security" procedures to deal with while attempting to do their real jobs.

Posted by: wpbrown46 | May 5, 2009 8:12 PM | Report abuse

Sounds like wpbrown46 knows the reality of managing an IT system by crisis instead of preempting the hacking. Shameful waste of money.

Posted by: patryot | May 5, 2009 8:29 PM | Report abuse

This is yet more evidence that there are no records that can't be hacked. Electronic Medical Records are a great concept, but huge amounts of money have been committed without assuring security. How can they?

Posted by: mcdermottmike1 | May 5, 2009 11:28 PM | Report abuse

@Computer_Forensics_Expert_Computer_Expert_Witness: I would imagine Disney's IT security is quite a bit better...

Posted by: Nathan_1 | May 6, 2009 8:57 AM | Report abuse

Cyber Extortion is just a throw back to hacking for profit started. Now adays it if far harder to convert stolen data to profits then say 3 yrs ago. Systems, merchants and law enforcement are far more aware of the techniques so hackers go back to the tried and true. Extortion. It is the equavalent of the Somali pirates except this is cyber based.

The sad part here is companies will go back to what they did in the late 90's and early 2000. They will negotiate and pay and then wonder why their stuff went public. Of course then they look like bigger idiots and they will not report the issue.

Ill share this story, the hacking group Zilterio used to extort their victims, and the victims would pay but when the ad hoc group started to go their own way each of the members claimed to be "zilterio" and thus tried to extort the victims separately. The result victims thought they were paying the extortion to the whole of the group and when zilterio 1 got paid he would not share so zilterio 2 thought the victim was lying about paying the randsom and publicized the stolen data.

In short, dont pay ransoms, dont negotiate, prepare for a public disclosure call the FBI and let them guide you through the game.

Posted by: Hilbert | May 6, 2009 3:11 PM | Report abuse

Hello, I am a patient who has a chronic condition. Avascular Necrosis of the bilateral hips. Normally surgery corrects this condition. Well I have a heart problem as well. I cannot have surgery. So yes I take painkillers basically to overcome the pain of applying pressure on my hips. One day I have been told the hip bones will fracture and either I have emergency surgery or I will be an invalid. I am extremely upset!!!! I am sure after being on these drugs for 5 years, my name is in there. I do cover myself with a service that blocks activity in case of stolen identity. So I cover my butt already. But because of the government stupidity and placing my name in there as if i were a criminal.Absolutely inferiorates me!!!!! If you are going to be careless enough with my info, do not let me hear about it. Or the next call will be to my Attorney!!!! I do not abuse my meds I am taking them as ordered. I am under a pain contract. I would not think about writing false scripts or selling my stuff on the streets. I am not a criminal people. I go to a Doctor to overcome the pain, that is my right. I feel so threatened now. I am out. Good day!

Posted by: mikeman64118 | May 6, 2009 11:24 PM | Report abuse

As indicated at the link below the agency/state was/is running Microsoft-IIS on Windows Server 2003 when last queried at 5-May-2009 13:31:20 GMT

In my professional opinion this was their first mistake and yes I design secure systems for the medical field.

Posted by: springman1 | May 7, 2009 5:48 PM | Report abuse

The way I see it, the hackers provided a public service by trashing the intrusive and totally unneded government, er, "service" (or extortion program, if you want to say it in plain English).

One only may wish the same guys went after IRS.

Posted by: bugaboo1 | May 7, 2009 8:32 PM | Report abuse

We in the Insurgency only advocate rhetorical violence, but there are other cells that are taking more extreme measures. Some are involved with MS-13 in SV and the GD in ChiTown.

These folks that broke into the Virginia Prescription Monitoring Program
have been in touch, and I can neither confirm nor deny that we have aided them in their patriotic efforts.

We have your data. We know where you live. The discrimination, denigration, and displacement of American I.T. professionals will stop.


Posted by: tunnelrat1 | May 8, 2009 1:55 AM | Report abuse










Posted by: | May 8, 2009 3:11 AM | Report abuse

A drunk arrives home from a drinking binge at 3am and unable to make it all the way to his front door, falls asleep on the hood of his car in the driveway. Awakening at 10am, the first observation he makes is 'Oh my God, I'd better get in the house before all the neighbors see me out here like this.'

Guess what -- the neighbors have already seen you like this and probably on many previous occasions. Only YOU are in denial -- not the neighborhood.

As to legitimate users of pain medications, so what if your neighbors know -- they probably already know about your painful circumstances anyway -- and most likely from you. THERE IS NO BLACKMAIL POSSIBILITY HERE AND IF ANYONE TRIES, TELL THEM WHERE THEY CAN GO !!!

Now what about shipping our IT jobs overseas, as tunnelrat1 above is claiming to be the REAL basis for the break-in ???

If that is so, is the VIRGINIA PRESCRIPTION MONITORING PROGRAM being supported by foreign IT professionals?

Where is the real connection here ? Even if we are 'sympathetic' to the plight of the American IT professional, why this target, when there must be any number of 'better targets,' i.e., services that send radiology photos overseas for reading, etc.


Posted by: | May 8, 2009 4:49 AM | Report abuse


Maybe you would care to further enlighten us as to how a break in to the Virginia Prescription Monitoring Program furthers the cause, directly or indirectly, of [displaced - ???] American IT Professionals, for it is not quite obvious to me where the connection is.

And just who would be the subject of blackmail anyway?

The Physicians or the patients ???

And if it is the Physicians, what makes you believe the DEA doesn't already know everything they may need to know ???

This merely sounds like a criminal act to me, but maybe you can enlighten all of us as to some 'overarching' social injustice ???

Posted by: | May 8, 2009 5:05 AM | Report abuse

Threatening to disclose personal patient information is NOT patriotic - it's cyber-terrorism. The people who did this are no better than the wackos over in BFE who kidnap American soldiers and threaten to kill them unless prisoners are released or some such nonsense. Stop trying to sound like you stand for something; all this is is an excuse to wave your man-parts around and say "Ha ha, see what I did!!" and then hurt innocent people if you don't get your way.

Posted by: Cricket84 | May 8, 2009 9:13 AM | Report abuse

CQ CQ CQ Where us Tunnelrat 1 ???

CQ CQ CQ Where is AlphaCenturi also ???

vvv vvv vvv
vvv vvv vvv
vvv vvv vvv

123 123 123 de 567 567 QSA IMI QRU IMI K
123 123 123 de 567 567 QSA IMI QRU IMI K
123 123 123 de 567 567 QSA IMI QRU IMI K




Posted by: | May 8, 2009 7:32 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company