Virginia Department of Health Professions Breach: Extortion Demand Regarding 8M Patient Records and 35M Prescriptions

Tuesday, 5 May 2009
Information Week is covering a story involving an extortion letter sent last week to the Virginia Department of Health Professions seeking $10M to return more than 8M patient records and 35M prescriptions allegedly stolen from the Virginia Department of Health Professions.

The extortion demand was posted on WikiLeaks. The WikiLeaks website states:

May 3, 2009
Summary
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx appears to have been entirely disabled and is presently unavailable.
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.

The Virginia Department of Health Professions website indicates that they are "currently experiencing technical difficulties which affet computerand email systems."

Sandra Whitely Ryals, Director of Virginia Department of Health Professionals, responded to the inquiry by Information Week stating that "a criminal investigation is under way by federal and state authorities."

The Washington Post Security Fix blog is also covering this story. Follow more news on this story via Google News.


UPDATE (5/5/09):
At the bottom of his follow up post, John Chilmark asks the question: "Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?

Here is my quick assessment. The HIPAA privacy rule (pre-ARRA HITECH) does not contain provisions that require a covered entity to notify individuals impacted by an alleged breach. However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Also, a question that factors into the equation is whether or not the Virginia Department of Health Professsions qualifies as either a covered entity or business associate under the HIPAA privacy rule. Handling these situations are very fact specific and depend upon a number of factors.

The new federal breach notification requirements contained in the HITECH section of the American Recovery and Reinvestment Act (ARRA) do not apply because the provisions do not go into effect until 30 days after the Department of Health and Human Services (HHS) publishes the interim final data breach notification regulations which has not yet occurred. The new federal breach notification law will be implemented in conjunction with the Federal Trade Commission's (FTC) proposed health breach notification rule that will apply to PHRs, PHR related vendors and other third party providers. The proposed rule is currently out for comment.

The regulations are currently in the works and HHS has now issued initial guidance on what data is classified as unsecured protected health information (not secured by technology that renders it "unusable, unreadable or indecipherable"). See the April 27, 2009 guidance for more on what this means. The guidance outlines the types of technologies that, if used, create a safe harbor for HIPAA privacy covered entities adn business associates to avoid having to provide notice in a situation where there has been a breach.

Also, the VDHP will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law.Over 40 states now have distinct state laws governing breach notification that extend to and cover everything from traditional personal information (name, social security number, etc.) to health related information. I've not dealt nor reviewed the Virginia Act but suspect a strong likelihood that notification will be required.

UPDATE (5/6/09): The Roanoke Times provides an update on the status of the pending investigation with comments from Governor Tim Kaine. The article states:
Gov. Tim Kaine said today that a hacker’s reported access to patient prescription records from a state database was “an intentional criminal act against the commonwealth by somebody who was trying to harm others” . . .

The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.

“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.

The article also indicates that under Virginia law notification is required and that Virginia's breach notification law requires, like many state laws, that notice must be provided "without unreasonable delay."
The article also indicates that Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”