Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The PMP contains details of medical patient’s drug prescriptions and was intended to be used to stop people abusing their access to medicines. However, last week the site was taken over by hackers and the following announcement posted on the web page:
"I have your s**t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions,” said the site according to Wikileaks.
“Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site has now been taken down and PMP representative are not returning requests for information from the media.
The message continues that if payment is not received in seven days then the hackers will offer the information to the highest bidder. They say that they may not find a market for the prescription data but should be able to sell basic identity information such as social security numbers and driver’s license details.
The message then lampoons the FBI’s practice of not paying out ransom for information and gives an email for response. The FBI and state police are reportedly investigating.
“If this all is correct, it indicates that several protection layers failed at the PMP,” said Bojan Zdrnja of the SANS Internet Security Center in a blog posting.
“Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.”
The case raises long term questions for businesses holding large amounts of data on customers, and their liability should a hacking attack occur.
This is not the first time that medical databases have been held for ransom. In October 2008 prescription processor Express Scripts had their database stolen and offered US$1 million for its safe return.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.