Someone has been reading .............
..........."Burn After Reading".
Almost 8.3 million patient records have been stolen from a Virginia government website that tracks prescription drug abuse, according to hackers who are demanding a $10 million ransom for their return. "I have your shit!" the note, which was posted to Wikileaks read. "In *my* possession, right now, are 8,257,378 patient records …
..........."Burn After Reading".
"It stretches the imagination to believe outsiders could break into a state-run website and destroy both the original data and its backup, which presumably would be stored off-site."
Apparently you haven't worked Public Sector before....
they should add to that person's medical information : permanently removed from gene pool.
This could be a conundrum. It would be interesting to see the authorities not catch this/these person/s to see how the system worked or did not work (not advocating crime. They could not do that though, could they? Allow 8.2 million peoples' personal records be sold to the highest bidder? Well luckily for the authorities, that is what they intend to do. The authorities in that case, may see that as blessing if they cannot catch this hacker and they sell the personal data and perscriptions information to some marketing, health insurnance or pharmacetical firm, not that any of them would ever buy anything like that.
That is definitely a more acceptable outcome than the hacker publishing the data online for anyone and everyone to copy and then sell on.
... the UKs NHS does not use the same system.
But there again the UK is broke so what might be the point of blackmail?
Which has severe sentencing implications. This hacker (if telling the truth) is looking at life in prision--at least. He could be charged with murder if someone dies because of a foul-up due to missing records.
Of course, he could be lying to pull a prank. But even if he is, the Feds will still hunt him down.
People like this are why the death penalty was invented...
Brazen scam but with LE tracking money flow globally it is unlikely they will be able to collect the $10,000,000 Interesting post covering this and a historical perspective over at http://blog.lumension.com/?p=1105 Ransomware is nothing new but trying to make $10,000,000 from a single incident is ;-)
The University of Virginia (not where these records were stolen, AFAIK) were one of the pioneers in electronic online medical records but this just goes to show that the value is only as good as the dedication of the people who operate the system. Indeed even the Veterans Administration in Washington, D.C. were early pioneers in online radiology image availability. There was a lot more emphasis at UVA on automation then on security or even quality of care. They had an automated patient record, but they still seemed to be able to send home babies with the wrong mothers or have epidemics of VRE or MRSA in the medical center. To their credit they did address these issues, but this just goes to show that throwing technology at something or automating it doesn't fix anything if all you're doing is automating a broken system.
"...and its backup, which presumably would be stored off-site..."
Yeah, I wish that were always the case. Too many of my companies customers leave live tapes in the library instead of off site. Of course with Iron Mountain's issues, sometimes I can't blame them.....
I'd think it more likely that the volume was marked as scratch and removed from the catalog rather than deleted.
I'd email [email protected] and ask, but I'm sure that would land me on some "bad list"
Just to make it perfect Virginia paid doctors to use the electronic records
Electronic medical records have tremendous potential to save time and trim costs from our health care system. Virginia Governor Tim Kaine recognizes this potential, and he is leading his state's participation in a federal project that allows Virginia to give financial incentives to doctors who use electronic medical record technology and report back about the results.
"It stretches the imagination to believe outsiders could break into a state-run website and destroy both the original data and its backup, which presumably would be stored off-site. A spokeswoman from Virginia's Department of Health Professions didn't return a phone call seeking comment. She told Security Fix the website was shut following following the April 30 discovery of an intrusion. She never directly addressed whether sensitive data was stolen or deleted."
Please, the sad truth is that people don't understand the value senior and experienced consultants bring to the table. Security for the most part is an after thought. :-(
Paris because she's got more brains that most in IT Management.
"I hope ... the UKs NHS does not use the same system."
I don't know about patient records, but the NHS BSA PPD (NHS Business Services Authority - Prescription Pricing Division) has recently started scanning and digitally storing every prescription they handle to cut handling costs and logistics involved in shuffling millions of bits of paper around every month. One of the first things they do with the images is run them through an OCR process to capture as much information as possible off the form before the keyboard rattlers they employ go through and manually enter anything OCR couldn't read.
They also enforce that wonderfully archaic "security precaution" of forcing all their staff to change their password every month as well as frequently shuttling lists of usernames and passwords back and forth between offices via email so staff can share workloads. A scary number of the passwords we see are simply the month name.
There's also plans, currently shelved, to outsource processing of medical records and prescriptions to India.
Overall, the PPD CIP (Capacity Improvement Program) is a farce and wide open for a bit of abuse if anyone bothers to probe the largely obfuscation based security. I fear we're well on our way to being as vulnerable as the US.
My records could be up for auction starting Thursday and nobody was informed until today. Really makes me wonder what my taxes are going towards.
Do you think that anyone, anywhere, will pay more than $1 for some stranger's medical records.
My opening bid is $4, plus actual shipping charges.
I had the (mis)fortune to be asked to set up an electronic transmission system for patient data (scans, etc) here. I set up a fully encrypted, public-key dropoff system that only decrypted the data at the receiving end after pickup; really secure, although not overly so considering the data.
However it was rejected because it required a small piece of client software to be installed and would not work on a completely vanilla off-the-shelf M$ PC without ANY additional software. We fully explained the security implications and so on, but they all felt it was just too complicated.
So it was replaced by... an MS Windows fileserver! Sharing over the Internet!
Anonymous for obvious reasons.
I agree with you whole-heartedly about the death penalty being imposed on scum like this. Unfortunately, what will actually happen is that the little shits responsible, when caught, won't be executed. They won't even be jailed or fined. Instead - and this is what really makes me boil - some security company will offer them a fat cushy job at $150,000 a year to develop and test security systems as a reward for their crimes.
Quite aside from the idiocy of employing a safecracker to design a safe (which he will invariably design a flaw into so he can crack it later), this sends the message to other criminals that CRIME PAYS - and pays well! As long as this stupidity continues, the internet will become more and more poisonous until in the end, it becomes unusable.
This sort of thing has riled me to the point where I've written to my local representative asking her to consider introducing mandatory sentencing for cybercriminals and legislation prohibiting convicted cybercriminals from ever holding or obtaining IT-related occupations, with stiff fines and jail time for both the crook and any company that hires him. So far, I haven't heard back, but I'm going to keep going on this. While I might not ever get my wish for the public executions of these bastards, getting the government to legislate against companies rewarding them with cushy jobs is definitely doable. It will be even more effective if people can get this through in mutliple countries. Write to your representative today!
Is it just me or does this guy remind anyone else of an old school James Bond villain? The age of the leet James Bond Villain is upon us!
It amazes me how many folks jump up to lynch someone everytime this sort of thing happens. I wouldn't mind if any of these flaming branded pitchfork bearers ever fingered the person or persons really responsible for these fiscal farces, but mostly seem quite satisfied to dethrone some minor, underpaid, untrained, overworked, screen jockey.
We all know the real culprits are the well paid wonks who talk about Margins, Bottom Lines, perhaps even TCO, and who make decisions about how much of the system that appeared in the System Requirements Specification to actually implement.
F*ckers like these make decisions to connect secure systems to the internet, to save money, save paper, warehousing and other handling costs. If you want to hang someone, please, please, please hang these tw*ts and their would be fat cat directors.
Considering that UK Plc want EVERY PIECE OF DATA about us stored electronically.
I can just imagine the situation we'd be in...
Hacker: OK, I'll give you back details of all your citizens for £10,000,000
UK Gov: Too much
Hacker: OK but you do know you'll never be able to collect tax without this? ha ha ha
For some scrote nicking (possibly) a load of medical records - death.
For bombing civilians in Afghanistan -- a bit of a slap on the wrist.
There seems to be a bit of a difference between culpability for having crap security sytem and culpability for having crap security forces.
We are seeing more and more personal data lumped on to servers so the likelyhood of huge amounts of stuff getting lifted increases at the same time. It's put there to save money and, presumably, provide easier access for those who need it. Not enough money is spent on ensuring that access is only available to a few. Usually - to save even more money - access is given to many who express a need for the data. If there is anyone who should really be excommunicated from the Church of Darwin it should be those who sign off poorly tested systems. There is, Steve Roper, an obvious need to employ people with a talent for poking away at supposedly foolproof systems. Kill all the predators and consequences have always been dire.
and it is set to ramp up. You cannot digitise medical records, the propensity for black mail is too high, and the medical profession is too arrogant to be trusted.
The request is just to publicise the matter, if you want medical records on anyone in Virginia, and a lot of that will include people in the CIA, FBI their families, and FBI they are both McLean and Langley VA, and most of the US government is in VA at some point, along with foreign diplomats, it is now available to buy, that is the message here.
That compromise is huge, on many levels and a lot of people in the US will not be happy about this. - I doubt he will collect from the US and to sell in parts will be risky, but if it is a foreign power they would probably pay a large amount for it.
Hopefully some good will come from it, the US will probably backtrack now on storing medical records in a digitised insecure way, and the UK will stop their projects.
The hackers may not have damaged it. The ones who ran the backups may just have screwed up. You don't know your backup system doesn't work till you try and restore something.
The mere fact that the state has the power to compell everyone's medical prescription data be put in one huge database so they can snoop through it. Doesn't anyone else have a problem with this?
Ok, so maybe you actually LIKE the idea of the state snooping in your personal business.. Are they so F'ing stupid they couldn't separate the individual prescription information from names and addresses UNLESS they find a problem that requires follow-up (Ok, Mr. X, we see that you've been "doctor shopping" and have 142 prescriptions for oxycodone. We think there might be a problem here; care to help us out?). Most basic rule is to separate real names from dataabases to prevent this exact type of problem. Crim should go to gaol. State admin should be sent to gaol, too.
You nailed it. I hope the blackmailer is caught, but whether he is or isn't, the beancounters who ultimately allowed this to happen should be fired at the least.
...if someone finds out that a bloke they've never heard of, and are never likely to meet (i.e., me) is taking Prozac, Viagra or such.
The main problem with the digitisation of medical records is that - unless they're just scanned - someone could decypher the doctor's 'hand'writing....
Now, THAT's a hanging offence!
What if the hacker forgets/loses the encryption key, which I think will happen when/if the FBI catch him? If Virginia do not have a backup .... LOL