First it was an extortion demand made to Express Scripts in October 2008, followed by similar threats to some of their clients that members’ personal information and prescription data would be exposed on the web if the company didn’t pay up. Now the Virginia Department of Health Professions is also on the receiving end of an extortion demand, this one posted by a hacker on the secure site of the Virginia Prescription Monitoring Program:
ATTENTION VIRGINIA
I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁
For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this shit is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).
Now I hear tell the Fucking Bunch of Idiots ain’t fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at [email protected] and we can discuss the details such as account number, etc.
Until then, have a wonderful day, I know I will 😉
The extortion demand was posted on April 30th.
As Thomas Claburn of InformationWeek reports, this type of attack — accessing and acquiring data, encrypting it, then selling access to the former owner — has its own name: cryptoviral extortion. The attack may not be particularly devastating in the sense of losing data if the entity runs daily backups that are not stored on the network, but these attacks are devastating in terms of the acquisition and threat of exposure of tremendous amounts of personal information, even if the information does not contain Social Security numbers.
In the last 6 months, the prescription records of almost 60 million people may have been acquired — and may even be already circulating on the internet via chat rooms or carders’ forums. Neither Express Scripts nor Virginia have provided any additional information.
Under new provisions in the HITECH Act, entities basically need to either encrypt data or destroy it. While the provisions are raising eyebrows and concerns, these two breaches should serve as a cautionary tale of what happens when vast amounts of sensitive health information are left sitting in databases connected to the internet and are not encrypted at rest.