Virginia officials this week began mailing direct individual notifications to more than a half-million people whose Social Security numbers may have been contained in the Prescription Monitoring Program database that was hacked into in April by a criminal demanding a $10 million ransom.
"Although the investigation has yet to determine what, if any, personal information is at risk, DHP nonetheless recommends that persons remain vigilant over the next 12 to 14 months," says Sandra Whitley Ryals, director of the Virginia Department of Health Professions, which oversees the PMP data base.
State and federal authorities continue to investigate the April 30 breach. Ryals says all PMP data was backed up and all back-ups have been secured. There is no evidence that systems beyond the PMP were involved.
Ryals says the mailing is to directly inform individuals of the potential exposure of Social Security numbers and to advise persons of precautionary steps that may be taken. "While there are over 35 million prescription records in the PMP database, only the 530,000 individuals whose prescription records may have contained Social Security numbers will receive the direct mailing," said Ryals. "Additionally 1,400 registered users of the program who may have provided Social Security numbers when they registered for the program also are being sent an individual notification."
The PMP system has been closed since the breach. It will reopen for registered users when new security measures are cleared by the Virginia Information Technology Agency and other law enforcement agencies.
The as-yet unidentified hacker left a ransom note in April at the Web site that read: "I have your [stuff]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
Police have declined to detail the investigation.