Late last week in the State of Virginia, someone hacked into the Virginia Dept. of Health Professionals (VDHP) website, downloaded all of 8M plus records and some 35M prescription records. Upon downloading the information, the hacker went on to erase all of the records on the VDHP servers and is now demanding a $10M ransom to return the files.
The following screenshot from the VDHP website clearly shows that yes my sweetie, we are experiencing technical difficulities.
West Virginia lawyer Bob Coffield has put up a good brief post with links for more information background on this somewhat scary story.
Makes one wonder just how safe are our records anyway, whether they are stored in repositories such as VDHP (a government run institution no less) to minimize drug abuse, or a given regional Exchange to facilitate care coordination or even one’s records stored at a local hospital, clinic or worse, physician’s office. One thing is for sure, I doubt that few if any of the aforementioned facilities/operations have sufficient security to prevent such a hack to their systems.
Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?
Addendum:
David Harlow, a Healthcare Lawyer based in Boston has an excellent post that looks closely at the broader implications of this privacy and security breach.
John,
Thanks for the follow up post on the alleged data breach involving records at the Virginia Department of Health Professions.
I noticed your question at the end of your post and thought I would provide you with a quick analysis of my thoughts on the requirements for breach notification under federal and state law.
I added a “update” at the bottom of my original post on the situation.
[…] At the bottom of his follow up post, John Chilmark asks the question: “Now the question is, under HIPAA, does the VDHP have to […]
If it didn’t affect millions of people, it would be funny in a pathetic way. A state agency sets up a public database, and gets compromised in a data breach.
What’s truly surprising is that even the backup files are being held hostage as well. The hacker behind this not only brought down the database but also every single backup available. The state agency’s site has been for six days (and counting), unable even to restore to last week’s or even last month’s data.
What’s even more shocking is that the news media have buried this story. This should be a huge wakeup call to the vulnerability of government IT systems, potentially to attack by other states or terrorist groups. It’s not just a breach of stolen data, it’s a full-blown attack on a government agency’s ability to function. In my opinion, hat makes it the scariest data breach in the US in recent years.
On a lighter note, here’s a link to the Virginia Data Bandit’s ransom note: http://file.sunshinepress.org:54445/virginia-ransom-2009.html.
Oh, and time’s up tomorrow, May 6th.
[…] More indepth coverage of this can be found at The Washington Post and Chilmark Research. […]
[…] Records from Government Site Held for $10M Ransom [Chilmark […]
Great post, thanx.