Virginia warns more than 500,000 of possible records breach
HIPAA Weekly Advisor, June 8, 2009
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Virginia officials last week began mailing direct individual notifications to more than a half-million people whose Social Security numbers may have been contained in the Prescription Monitoring Program database that was hacked by a criminal demanding a $10 million ransom in April.
"Although the investigation has yet to determine what, if any, personal information is at risk, DHP nonetheless recommends that persons remain vigilant over the next 12 to 14 months," says Sandra Whitley Ryals, director of the Virginia Department of Health Professions, which oversees the PMP database.
State and federal authorities continue to investigate the April 30 breach. Ryals says all PMP data was backed up and all back-ups have been secured. No evidence suggests that systems beyond the PMP were involved.
Ryals says the mailing is to directly inform individuals of the potential exposure of Social Security numbers and to advise persons of precautionary steps that may be taken. "While there are over 35 million prescription records in the PMP database, only the 530,000 individuals whose prescription records may have contained Social Security numbers will receive the direct mailing," says Ryals. "Additionally 1,400 registered users of the program who may have provided Social Security numbers when they registered for the program also are being sent an individual notification."
The PMP system has been closed since the breach. It will reopen for registered users when new security measures are cleared by the Virginia Information Technology Agency and other law enforcement agencies.
The as-yet unidentified hacker left a ransom note in April at the Web site that read: "I have your [stuff]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
Police have declined to detail the investigation.
-- John Commins, for HealthLeaders Media.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- CHANGES COMING: Key differences in nationwide rollout
- Searched