Hackers Hold US Medical Records Hostage

**John Wayne** · May 08, 2009, 01:03 PM

Hackers have taken control of the Virginia Prescription Monitoring Program (PMP) in the U.S. and are demanding a US$10 million (A$13.6 million) ransom for the return of patient’s records.

The PMP contains details of medical patient’s drug prescriptions and was intended to be used to stop people abusing their access to medicines.

However, on Thursday the site was taken over by hackers and the following announcement posted on the web page.

"I have your

! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions,” said the site according to Wikileaks.

“Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh

For $10 million, I will gladly send along the password."

The site has now been taken down and PMP representative are not returning requests for information from the media.

The message continues that if payment is not received in seven days then the hackers will offer the information to the highest bidder.

They say that they may not find a market for the prescription data but should be able to sell basic identity information such as social security numbers and driver’s license details.

The message then lampoons the FBI’s practice of not paying out ransom for information and gives an email for response. The FBI and state police are reportedly investigating.

“If this all is correct, it indicates that several protection layers failed at the PMP,” said Bojan Zdrnja of the SANS Internet Security Center in a blog posting.

“Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.”

The case raises long term questions for businesses holding large amounts of data on customers, and their liability should a hacking attack occur.

This is not the first time that medical databases have been held for ransom. In October 2008 prescription processor Express Scripts had their database stolen and offered US$1 million for its safe return.

http://itnews.com.au/News/102606,hac...a-hostage.aspx
If this is actually true, I'm curious as to how the hacker(s) got to the backups; aren't those things usually kept on a network separate from the main one?

**Phier** · May 08, 2009, 01:10 PM

Originally Posted by Tenhauser

http://itnews.com.au/News/102606,hac...a-hostage.aspx
If this is actually true, I'm curious as to how the hacker(s) got to the backups; aren't those things usually kept on a network separate from the main one?

You would think so but this is the government

Even in my office we take backups off site.

**Erik** · May 08, 2009, 01:20 PM

Originally Posted by Tenhauser

If this is actually true, I'm curious as to how the hacker(s) got to the backups; aren't those things usually kept on a network separate from the main one?

Maybe they hacked the main admin account.

Backups are usually send to a different server, yes.
But it's likely that access to the backup server is managed either from the main server, or from a hosting account with access to both servers.

**Kamos** · May 08, 2009, 01:32 PM

You'd think they would have an secondary offline backup for information that important, that hacker is a prick.

**Chaigidel** · May 08, 2009, 02:08 PM

its probably someone who works for the company.

**Arjun** · May 08, 2009, 02:50 PM

anyone who does not have a physically seperate backup (not connected to the net,server and put in a seperate facility) deserves what they get, especially when it comes to such sensitive data.