DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Another breach raises questions about the security of online health data

Posted on May 4, 2009 by Dissent

First it was an extortion demand made to  Express Scripts in October 2008, followed by similar threats to some of their clients that members’ personal information and prescription data would be exposed on the web if the company didn’t pay up.  Now the Virginia Department of Health Professions is also on the receiving end of an extortion demand, this one posted by a hacker on the secure site of the Virginia Prescription Monitoring Program:

ATTENTION VIRGINIA

I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this shit is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).

Now I hear tell the Fucking Bunch of Idiots ain’t fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at [email protected] and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will 😉

The extortion demand was posted on April 30th.

As Thomas Claburn of InformationWeek reports, this type of attack — accessing and acquiring data, encrypting it, then selling access to the former owner — has its own name: cryptoviral extortion. The attack may not be particularly devastating in the sense of losing data if the entity runs daily backups that are not stored on the network, but these attacks are devastating in terms of the acquisition and threat of exposure of tremendous amounts of personal information, even if the information does not contain Social Security numbers.

In the last 6 months, the prescription records of almost 60 million people may have been acquired — and may even be already circulating on the internet via chat rooms or carders’ forums. Neither Express Scripts nor Virginia have provided any additional information.

Under new provisions in the HITECH Act, entities basically need to either encrypt data or destroy it. While the provisions are raising eyebrows and concerns, these two breaches should serve as a cautionary tale of what happens when vast amounts of sensitive health information are left sitting in databases connected to the internet and are not encrypted at rest.

Category: Health Data

Post navigation

← UK: Stolen laptops held details of 10,000
Ca: Teacher web site exposes student info →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.