Virginia Prescription Records Stolen and Held for Ransom

This one is hard to believe, but true. According to Wikileaks and as reported by the Washington Post, On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand. The PMP is used by pharmacists and others to discover prescription drug abuse. The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.

The Washington Post reports that serious consideration is being given by the Virginia officials to paying the $10 million ransom.

This story highlights two significant failures. First, not keeping the data secure. Second, it turns out that Virginia may not have a complete backup.

Neither failure is difficult to prevent. Although, as to the security failure, I’d bet the perpetrator is an insider. We have discussed in this blog previously how often (and why) insiders are usually the culprit. And it is indeed harder to prevent this sort of malicious or worse behavior when an insider is behind it. But still proper controls, also discussed previously can minimize this type risk.

But how can it happen that Virginia does not have backup? Just shocking. We’ll give the Commonwealth 1 year of free service, if they’d like. Providing we’re allowed to name them as a customer.