Michael Sluss of The Roanoke Times reports that well, basically, we still don’t know very much about the reported hacking and ransom demands involving the Virginia prescription monitoring database. Based on other big cases I’ve followed over the years, that’s not surprising.
The one detail in the ransom note that suggested to me that the poster of the ransom note might really have acquired the data is the specificity of the number of records in the database reportedly acquired. Virginia officials have not publicly commented on whether the numbers included in the note were accurate.
The incident could not have occurred at a worse — or better — time, depending on your views of creating large databases of medical information that can be accessed over a network. What security protections did the state have in place, and how did they fail? Will it turn out this hack was super-sophisticated or will we eventually learn that the hacker exploited a vulnerability that has been recognized for a long time and could have and should have been patched or addressed years ago? Only time will tell, but this is a case where genuine transparency is needed.