Hackers demand ransom for US medical data

The Virginia Prescription Monitoring Program has fallen victim to hackers

Hackers have taken control of the Virginia Prescription Monitoring Program (PMP), and are demanding a $10m (£6.6m) ransom for the return of millions of patient records.

The Virginia PMP contains details of drug prescriptions, and was designed to stop people abusing their access to medicines.

However, the site was taken over on Thursday by hackers who posted the following announcement on the web page:

"I have your s**t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh :(For $10 million, I will gladly send along the password."

The site has now been taken down, and Virginia PMP representatives are not returning requests for information from the media.

The hackers' message added that, if payment is not received in seven days they will offer the information to the highest bidder. The identity data includes social security numbers and driving licence details.

The message then lampoons the FBI's practice of not paying ransoms for information, and gives an email address for response. The FBI and state police are reportedly investigating.

"If this is correct, it indicates that several protection layers failed at the PMP," said Bojan Zdrnja, of the Sans Internet Storm Center, in a blog post.

"Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is the ability for a hacker to delete your backups.

"And indeed, any decent backup system will only allow you to backup the data or read it. Only the backup administrator should be able to delete the backups. "

The case raises long-term questions for businesses holding large amounts of data on customers, and their liability should a hacking attack occur.

This is not the first time that medical databases have been held to ransom. In October 2008 prescription processor Express Scripts had its database stolen by hackers who demanded $1m (£660,000) for its safe return.