Late last week in the State of Virginia, someone hacked into the Virginia Dept. of Health Professionals (VDHP) website, downloaded all of 8M plus records and some 35M prescription records. Upon downloading the information, the hacker went on to erase all of the records on the VDHP servers and is now demanding a $10M ransom to return the files.
The following screenshot from the VDHP website clearly shows that yes my sweetie, we are experiencing technical difficulities.
West Virginia lawyer Bob Coffield has put up a good brief post with links for more information background on this somewhat scary story.
Makes one wonder just how safe are our records anyway, whether they are stored in repositories such as VDHP (a government run institution no less) to minimize drug abuse, or a given regional Exchange to facilitate care coordination or even one’s records stored at a local hospital, clinic or worse, physician’s office. One thing is for sure, I doubt that few if any of the aforementioned facilities/operations have sufficient security to prevent such a hack to their systems.
Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?
David Harlow, a Healthcare Lawyer based in Boston has an excellent post that looks closely at the broader implications of this privacy and security breach.