DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Another breach raises questions about the security of online health data

Posted on May 4, 2009 by Dissent

First it was an extortion demand made to  Express Scripts in October 2008, followed by similar threats to some of their clients that members’ personal information and prescription data would be exposed on the web if the company didn’t pay up.  Now the Virginia Department of Health Professions is also on the receiving end of an extortion demand, this one posted by a hacker on the secure site of the Virginia Prescription Monitoring Program:

ATTENTION VIRGINIA

I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this shit is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).

Now I hear tell the Fucking Bunch of Idiots ain’t fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at [email protected] and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will 😉

The extortion demand was posted on April 30th.

As Thomas Claburn of InformationWeek reports, this type of attack — accessing and acquiring data, encrypting it, then selling access to the former owner — has its own name: cryptoviral extortion. The attack may not be particularly devastating in the sense of losing data if the entity runs daily backups that are not stored on the network, but these attacks are devastating in terms of the acquisition and threat of exposure of tremendous amounts of personal information, even if the information does not contain Social Security numbers.

In the last 6 months, the prescription records of almost 60 million people may have been acquired — and may even be already circulating on the internet via chat rooms or carders’ forums. Neither Express Scripts nor Virginia have provided any additional information.

Under new provisions in the HITECH Act, entities basically need to either encrypt data or destroy it. While the provisions are raising eyebrows and concerns, these two breaches should serve as a cautionary tale of what happens when vast amounts of sensitive health information are left sitting in databases connected to the internet and are not encrypted at rest.

Related posts:

  • Better safe than sorry: Express Scripts should notify everyone
Category: Health Data

Post navigation

← UK: Stolen laptops held details of 10,000
Ca: Teacher web site exposes student info →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.