As reported here and onEHRtv.com, The Department of Health And Human Services recently announced new guidelines for controlling and reporting security breaches of Electronic Medical Records. Now, just weeks after HHS’ announcement, Virginia has revealed that the EMRs of 8 million patients may have been compromised.
Yesterday, an FBI Official confirmed that they are investigating a $10 million ransom demand by a hacker or hackers, who say they have stolen nearly 8.3 million patient records from a Virginia government Web site that tracks prescription drug abuse. The breach involves the Virginia State Prescription Drug Monitoring Program’s website, www.pmp.dhp.virginia.gov/. Virginia’s governor said state police are also cooperating in the investigation. In a statement the governor said that the breach of patient EMR data is a serious crime, and is being treated as such. As of this writing the Website is still down.
FBI officials were made aware of the potential breach when last week they were contacted by the Virginia Information Technologies Agency (VITA). Asked whether patient information is secure, the FBI Official would not say, only that an incident had occurred. “I really can’t make a declarative statement as to whether anyone’s information is in jeopardy at this point,” the official said. Apparently a message appeared on the front page of the Program’s website from a hacker who claimed to have obtained the EMR information of the over 8 million patients in the system – and would sell the data to the highest bidder if the state did not pay him or them – 10 million dollars.
Sandra Whitley Ryals, director of the Virginia Department of Health Professions, which runs the program, confirmed that a criminal investigation is underway into the potential security breach which occurred on April 30. Since the unauthorized message was posted, the department has been working “very closely and cooperatively with federal and state law enforcement to resolve the situation. “The entire DHP system has been shut down since [April 30th] to protect the security of the program data,” Ryals said in a statement released to the Press.
A spokesperson for the Virginia Department of Health, which uses different software than the Prescription Monitoring Program, said that the Monitoring Program’s website is now secure, but that “something did happen.” The records that were allegedly stolen do contain social security numbers and other information valuable to identity thieves.
Michael Fitzpatrick, president and CEO of the NCX Group, a Newport Beach, Calif.-based computer-security consulting group commenting on the incident said that many government agencies just do not have the budgets to take the best security measures to prevent sophisticated attacks by hackers.