The Washington Post says that a hacker encrypted 8 million patient prescription records from a Virginia state website last week, deleted the backups, and replaced the home page with a ransom note. If the state doesn’t pay $10 million within 7 days, the hacker has threatened to sell the data to the highest bidder.
Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file.
Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.
Here’s the full text of the ransom. Why can’t hackers be a bit more elegant and well spoken in a James Bond Villain sort of way?
I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(
For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this shit is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).
Now I hear tell the Fucking Bunch of Idiots ain’t fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at email@example.com and we can discuss the details such as account number, etc.
Until then, have a wonderful day, I know I will ;)
“Hackers Break Into Virginia Health Professions Database, Demand Ransom” [Washington Post via Slashdot] (Thanks to Chris!)
“Over 8M Virginian patient records held to ransom, 30 Apr 2009” [Wikileaks]
(Goblin statue: tanakawho)