A state medical site was vandalized, and the vandal claims he’s stolen 8M records.

Some jackass vandalized The Virginia Department of Health Professions’ website, claiming to have taken eight million patient records hostage, giving the state seven days to pay a $10M ransom to get them back. The ransom note has been removed from the VDHP website, but it’s mirrored here. If this is true then it is, of course, Very Bad. The bulk of the state’s IT is outsourced to Northrop Grumman, who I understand has chronic ass/elbow confusion, so there’s nothing about this that surprises me. The agency head tells the Post, totally unassuringly, that “we take the information security very serious,” stopping only one grammatical step short of saying that “teh internets is the dangerous.”

But the fact that somebody can deface a webpage doesn’t mean that they have any access to the servers that store patient records. So it could be a ruse, easily verified by checking the data. If this is nothing more than a defacement, no problem—patch the hole, life goes on. But if any data has actually been accessed and duplicated—or worse yet, taken without leaving any trace of it in state records—then this is a significant problem. (Missing data is a very different problem than wrongly duplicated data.) There are also some pretty significant practical hurdles for our intrepid black hat hacker. Like getting the $10M. Short of hurling the money out of an airplane over the desert, however the money is transferred to him, it would be tracked. So, sure, the FBI can send him $10M, and then they’ll arrest him. This guy must suck at chess.

Aneesh Chopra’s last day as Virginia’s CTO was a couple of weeks ago—he must be glad for that right now. There’s an informative discussion on Slashdot for those interested in the technical details. I’ll be interested in watching this unfold, even as the conclusion is obvious. The bits to keep an eye on as this unfolds are a) what the damage is b) how they catch him c) how well this agency handles this and d) what the state does differently with IT to prevent this from happening again.

Published by Waldo Jaquith

Waldo Jaquith (JAKE-with) is an open government technologist who lives near Char­lottes­­ville, VA, USA. more »

6 replies on “A state medical site was vandalized, and the vandal claims he’s stolen 8M records.”

  1. Right off the bat, how would this clown be safe communicating via a Yahoo account? They already have that either hacked or closed down.

    I’m with you, this is a giant learning exercise. Let’s learn to not outsource the IT to a military contractor.

    That is something, by the way, that I don’t understand. Would this state outsource everything if they could?

  2. They should never have passed a law requiring pharmacies to keep this data in the first place. So I’m not sure who is the biggest um, jerk, here. To prevent a few people overusing or overprescribing pain medications and such they have endangered the identities of cancer patients, surgery patients, older folks, all kind of innocent Virginia citizens in the name of the “drug war”. Why was there no protest when this big brother law was passed in the first place?
    @Mark Brooks,tjere is currently an RFP out to privatize/outsource substance abuse treatment at Woodrow Wilson in Fisherville. So yes, I think the state of Virgniia would outsource everything they could get away with.

  3. Ah, I see in the threat letter that the hacker alleges Virginia’s “backups seem to have gone missing.”

    Huh? Off-line/off-site backups should be just that–they *should* appear to be missing, at least from the perspective of an on-line hacker. Co-located/on-line backups aren’t true backups!

    Pretty unconvincing…

  4. Good point Jeff, when I worked for a state agency, back up tapes were sent somewhere else every morning. We didn’t even know where they went, probably the director did. So yeah, not convincing, at that time, years ago, they were tapes.

  5. “This guy must suck at chess.”

    I laughed so hard that people looked at me like I was crazy.

Comments are closed.