Tuesday, May 05, 2009

Virginia Department of Health Professions Breach: Extortion Demand Regarding 8M Patient Records and 35M Prescriptions

Information Week is covering a story involving an extortion letter sent last week to the Virginia Department of Health Professions seeking $10M to return more than 8M patient records and 35M prescriptions allegedly stolen from the Virginia Department of Health Professions.

The extortion demand was posted on WikiLeaks. The WikiLeaks website states:

May 3, 2009
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx appears to have been entirely disabled and is presently unavailable.
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.

The Virginia Department of Health Professions website indicates that they are "currently experiencing technical difficulties which affet computerand email systems."

Sandra Whitely Ryals, Director of Virginia Department of Health Professionals, responded to the inquiry by Information Week stating that "a criminal investigation is under way by federal and state authorities."

The Washington Post Security Fix blog is also covering this story. Follow more news on this story via Google News.

UPDATE (5/5/09):
At the bottom of his follow up post, John Chilmark asks the question: "Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?

Here is my quick assessment. The HIPAA privacy rule (pre-ARRA HITECH) does not contain provisions that require a covered entity to notify individuals impacted by an alleged breach. However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Also, a question that factors into the equation is whether or not the Virginia Department of Health Professsions qualifies as either a covered entity or business associate under the HIPAA privacy rule. Handling these situations are very fact specific and depend upon a number of factors.

The new federal breach notification requirements contained in the HITECH section of the American Recovery and Reinvestment Act (ARRA) do not apply because the provisions do not go into effect until 30 days after the Department of Health and Human Services (HHS) publishes the interim final data breach notification regulations which has not yet occurred. The new federal breach notification law will be implemented in conjunction with the Federal Trade Commission's (FTC) proposed health breach notification rule that will apply to PHRs, PHR related vendors and other third party providers. The proposed rule is currently out for comment.

The regulations are currently in the works and HHS has now issued initial guidance on what data is classified as unsecured protected health information (not secured by technology that renders it "unusable, unreadable or indecipherable"). See the April 27, 2009 guidance for more on what this means. The guidance outlines the types of technologies that, if used, create a safe harbor for HIPAA privacy covered entities adn business associates to avoid having to provide notice in a situation where there has been a breach.

Also, the VDHP will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law.Over 40 states now have distinct state laws governing breach notification that extend to and cover everything from traditional personal information (name, social security number, etc.) to health related information. I've not dealt nor reviewed the Virginia Act but suspect a strong likelihood that notification will be required.

UPDATE (5/6/09): The Roanoke Times provides an update on the status of the pending investigation with comments from Governor Tim Kaine. The article states:
Gov. Tim Kaine said today that a hacker’s reported access to patient prescription records from a state database was “an intentional criminal act against the commonwealth by somebody who was trying to harm others” . . .

The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.

“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.

The article also indicates that under Virginia law notification is required and that Virginia's breach notification law requires, like many state laws, that notice must be provided "without unreasonable delay."
The article also indicates that Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”


Anonymous said...

Thanks for taking the time to research and write a response to my question on breach notification. Sounds like though VDHP is not necessarily required under HIPAA today to do such notification, best practices would argue that they do perform such a task.

My next question, which you probably can not answer is that with so many DC politicians living in Virginia and possibly getting care and meds there, wonder if they are at risk from disclosure.

Unknown said...

At a recent forum we were very clearly told that the stimulus bill in fact DOES include security breath notification whereas HIPPA never actually did.


Privacy and security breach notices to individualsAlmost all states have passed laws requiring businesses to notify consumers of breaches of the security of their personal information in electronic databases. HIPAA, however, has no strict notification requirement. The Act changes this by requiring covered entities to notify individuals whose unsecured protected health information has been or is reasonably believed to have been accessed, acquired or disclosed as a result of a privacy or security breach. If the breach is discovered by a business associate, rather than a covered entity, then the business associate is required to notify the covered entity of the breach, including the identification of each individual who has been or is reasonably believed to have been affected by the breach.

The notification provisions will provide new challenges to covered entities and their business associates. Almost all states have adopted their own notification provisions that have different triggers, notification timelines, notice procedures and content requirements. The new federal requirements do not preempt the more restrictive state notification requirements, and covered entities likely will have to comply with both. It will not be, however, necessarily intuitive how to combine more stringent notification timelines imposed by state law with more specific notification content under federal law.

The Act generally requires that the breach notices be sent without unreasonable delay and in no case later than 60 calendar days after discovery. Unlike many state notification laws, the new federal law is not limited to breaches of the security of online information, nor is it restricted to financially sensitive information, such as social security number, bank account information or the like.

symtym said...

To follow on John's question, what's the likelihood that Virginia was targeted because of the political dimension/attention that would come with such a breach? Will we see more legislation directly traceable to this breach?

Bob Coffield said...

Alliance4Health, I agree. The ARRA (stimulus bill) does include new breach notification requirements. As I state in my initial analysis in the post above prior to ARRA the HIPAA privacy rule did not include specific provisions requiring breach notification. The reason that the ARRA (stimulus bill) provisions do not apply in this situation is because the provisions have not yet gone into effect. The regulations implementing the new law are just starting to be rolled out via regulation and won't go into effect until 30 days after the final regulations are issued.

David Harlow at the HealthBlawg provides additional thoughtful analysis on the ongoing situation.

Linda said...

I live in Virginia and got two "Data Breach Notification" letters. One was addressed to "Parents of" followed by my husband's name and the other to "Parents of" followed by the name of a dog that I had 2 years ago. This pet died at the age of 15. I assume that he got in the database because he was prescribed a seizure medication, but the letter alludes to possible theft of his social security number. If he had one, he never told me about it!

I wonder if the state was easily fooled because their system is faulty. Pets don't belong in the database.