The PMP contains details of medical patient’s drug prescriptions and was intended to be used to stop people abusing their access to medicines. However, last week the site was taken over by hackers and the following announcement posted on the web page:
"I have your s**t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions,” said the site according to Wikileaks.
“Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site has now been taken down and PMP representative are not returning requests for information from the media.
The message continues that if payment is not received in seven days then the hackers will offer the information to the highest bidder. They say that they may not find a market for the prescription data but should be able to sell basic identity information such as social security numbers and driver’s license details.
The message then lampoons the FBI’s practice of not paying out ransom for information and gives an email for response. The FBI and state police are reportedly investigating.
“If this all is correct, it indicates that several protection layers failed at the PMP,” said Bojan Zdrnja of the SANS Internet Security Center in a blog posting.
“Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.”
The case raises long term questions for businesses holding large amounts of data on customers, and their liability should a hacking attack occur.
This is not the first time that medical databases have been held for ransom. In October 2008 prescription processor Express Scripts had their database stolen and offered US$1 million for its safe return.