Tuesday, May 5, 2009

Virginia Health Data Potentially Held Hostage

| Brett D. Arion |
An unknown hacker posted an extortion demand on WikiLeaks and seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.

The note reads: "ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup.

"If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid," the note says.

It seems as though a notice has been posted on the DHP Web site stating that the site "is currently experiencing technical difficulties which affect computer and e-mail systems."

It seems that extortion demands of this sort have become relatively common in data breach cases. For instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records. The attack technique -- capturing data, encrypting it, then selling access to the former owner -- has become popular enough to earn its own name: cryptoviral extortion.


Sandra Whitley Ryals, director of the Virginia Department of Health Professions, said in an e-mail to Informationweek that "a criminal investigation is under way by federal and state authorities. We cannot speak to the details because of the ongoing criminal investigation."

Reblog this post [with Zemanta]

Free Security Magazines