Officials working for the State of Virginia have announced that they are sending breach notifications to over half a million patients whose Social Security Numbers (SSNs) may have been compromised.
The warnings, which are being sent to 530,000 people whose prescription records may have included the sensitive information, come in the wake of a hacker gaining access to the Prescription Monitoring Program computer system, where they planted a rather fruity message demanding a $10 million ransom.
As yet, the hacker has not been identified.
According to media reports, the compromised database contains details of over 35 million prescriptions, including details such as the patient’s name, address and date of birth, and the name and quantity of the drug prescribed.
In addition, an optional field in the database was used to carry the patient’s identifying number. Where that number is nine digits long (which could make it a SSN), officials are sending a warning to the indvidual concerned.
Some questions spring to mind at this point.
Why don’t the authorities know if the nine digit identifying number is the patient’s social security number or not?
And why aren’t patients who don’t have a nine digit identifier being also notified? After all, it appears that hackers may have their name, address, date of birth and other personal information that could be handy for an identity thief even if a SSN isn’t present.
Whatever the answer to these questions, affected members of the public are advised to watch their bank and credit card statements for irregularities.
News that State of Virginia is undertaking this enormous notification process pours cold water over earlier speculation that perhaps the hacker had not managed to access the database and had only managed to deface the website.
It seems clear now that a serious security breach did occur – although the hacker’s claim to have wiped the data and all backups appear to have been false.