Medical Data Held for Ransom

A warm front brought rain all along the eastern mid-Atlantic of the United States on Thursday morning, April 30. It was the second week in a row of rain. Nearly all of Virginia’s approximately 5, 000 pharmacists took umbrellas to work, shook the rain off as they walked in their front doors and prepared for another day.

By 8:30 a.m., most had logged onto their computer systems and were catching up on the overnight prescription call-ins, the emails and any leftover paperwork from Wednesday. By 9:00 a.m., most every pharmacist in Virginia had read the ransom note.

It read: “I have your shit! In *my* possession, right now, are 8, 257, 378 patient records and a total of 35, 548, 087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password." The message said if officials didn't respond within seven days the information would be made available to whoever offered the highest bid. The story was first reported May 3rd on Wikileaks (www.wikileaks.org)..

Every day, Virginia’s pharmacists log onto the state’s Prescription Monitoring Program (PMP) system to upload any new prescriptions of drugs like oxycodone, methadone, morphine, Ritalin, Hydrocodone, Vicodin, testosterone, Tylenol with codeine, Valium, Xanax, Darvocet-N100, or Ambien. The PMP site keeps track of such drug usage in the state and is designed to uncover any signs of prescription drug abuse.

But, instead of the usual interface screen, pharmacists on that Thursday morning saw a ransom note that was posted directly to PMP’s homepage. The site itself (https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx) was otherwise disabled.

By 9:00 a.m. on April 30, 20098.3 million patient records were being held hostage and the kidnappers were demanding $10 million to release the “victim.”

For its part, Virginia’s Department of Health Professions shut down what was left of its site, began an urgent scrub and called the FBI. Prescriptions didn’t stop. Payments weren’t affected.

By midday, the federal and state attack dogs were turned loose. The FBI launched its investigation, the Virginia Information Technologies agency started an investigation, and the state police began to investigate.

FBI's Computer Forensics Lab in VirginiaOf the three, the FBI’s Computer Analysis and Response Team (CART) is considered to be the most sophisticated. Every FBI field office is equipped to perform forensic computer examinations and to provide technical support for FBI investigations. The CART unit has become famous in recent years for its state-of-the-art laboratory and network of trained and equipped Internet forensic experts.

The FBI’s system is also automatically connected to the United States Attorney's Office and seven other federal, state, and local law enforcement agencies. It is also linked to the Department of Defense Computer Forensic Laboratory (DCFL).

The FBI separates computer crimes into two categories: 1) crimes facilitated by a computer and 2) crimes where a computer or network is the target. Using a computer as a tool to aid criminal activity may include storing records of fraud, producing false identification, reproducing and distributing copyrighted material, collecting and distributing child pornography, and many other crimes.

The FBI uses a number of federal statutes to investigate computer crimes. When the hackers are caught, they are prosecuted under roughly nine federal statutes.

If these hackers are smart, they’ll leave a box with the discs on the PMP’s doorstep and slip quietly out of the country—perhaps to somewhere north of the Arctic Circle.

The Ransom of Red Chief Data

No doubt, especially since President Barack Obama has made the digitization of medical records a major pillar of his push to lower the cost of health care, it must have seemed like a passably good idea to steal 8.3 million medical records and then try to hold them ransom for $10 million.

Unfortunately (for the data-nappers), the Virginia Department of Health Professions had a backup file which was used to bring the PMP system back online in a matter of days. Furthermore, the hijacked Virginia prescription data had NO really valuable personal information—like social security numbers. Just names, addresses, prescription numbers, drug names, dates of prescriptions, and ages of recipients.

Perhaps the data-nappers thought that having those actual names made the names valuable. If my name were one of those…ummm…I wouldn’t pay anything to get my duplicate record back. Who would? Who, in fact, cares (other than the FBI)?

So like Bill Driscoll and his buddy in the famous O. Henry short story “The Ransom of Red Chief, ” these characters are probably holed up in a basement cave wondering what kind of hornet’s nest they’ve walked into.

To paraphrase that great short story:

“IT LOOKED like a good thing: but wait till I tell you. We were in Virginia—Bill Driscoll and myself—when this data-napping idea struck us. It was, as Bill afterward expressed it, ‘during a moment of temporary mental apparition’; but we didn't find that out till later.

There was a town down there, as flat as a flannel-cake, and called Richmond, of course. It contained political and bureaucratic inhabitants. Of as undeleterious and self-satisfied a class of bureaucrats as ever clustered around a water cooler.

Bill and me had a joint capital of about six hundred dollars and we needed just a million dollars more to pull off a fraudulent town-lot scheme in western Illinois with. We talked it over on the front steps of the Richmond Plantation Hotel. Philoprogenitiveness, says we, is strong in government bureaucracies; therefore and for other reasons, a data-napping project ought to do very well indeed. We knew that Virginia’s Health Department couldn't get after us with anything stronger than career pencil pushers and maybe a diatribe or two in the Richmond Times-Dispatch. So, it looked good.

We selected for our victim the 8.3 million prescription records in the PMP system—as anachronistic a system as we’d ever seen. The operating system was older than my father and the webmaster was half stoned on Pop-Tarts and Red Bull. The data could be stored on my 8-gig thumb drive—the kind you buy online from Chinese hacker sites. Bill and me figured that Virginia would melt down for a ransom of ten million dollars to a cent.

About two miles from Maryland Drive (where the computer center was) in Richmond was our basement cave. There we stored provisions. One evening after sundown, we drove in a Volkswagen buggy past the old Cracker Barrel and down Maryland Drive. It was as quiet as the mountain dew on a Sunday morning.

"Hey, Bill!" says I, "Would you like to try and grab them files?"

Well, hacking that site was like fighting a welter-weight cinnamon bear; but, at last, we got every last one of them pesky datapoints off their site and onto our thumb-tastic drive. We looked at each other in the cave and pulled out my celebratory bottle of two-buck chuck, mixed it with Vanilla Pepsi —directly in the bottle for sure—hoisted our foaming flagons and awaited our fate.”

The end of the story has yet to be officially written but, suffice it to say, no money has changed hands between the extortionist and Virginia’s Department of Health Professions. And the FBI is, no doubt, closing in.

Two weeks ago the PMP site reopened for public use with ALL data restored.