from Associated Press
RICHMOND, May 12 — Legislators had sharp questions for state officials Tuesday about how hackers stole millions of personal pharmaceutical records from a prescription drug database that was supposed to be secure.
"It doesn't sound like the proper firewalls, the proper backing up, the proper security measures were in place at the time,'' said Del. Joe T. May (R-Loudoun), who chairs the Joint Commission on Technology and Science. "The question is . . . why weren't they?''
The pointed questions came at a House Appropriations Committee meeting almost two weeks after hackers claimed to have taken 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program. The hackers then attempted to blackmail the state, threatening to sell the data if they did not receive $10 million last week.
Pat Paquette, technology director for the Department of Health Professions, defended the agency and its security measures.
"Those things were in place, have always been in place,'' she told the lawmakers.
The state has a multimillion-dollar contract with Northrop Grumman to update its computers to include better security, she said. The upgrades at the Department of Health Professions are expected to be completed in August.
The FBI, along with the U.S. attorney's office and Virginia State Police, are conducting an investigation into the alleged theft.
"It's like looking for a needle in a haystack, but they do have the ability to find the needle and they will,'' said Marilyn Tavenner, secretary of health and human resources.
It's unclear whether the hackers followed through on their threat — the deadline for the state to pay up passed last week. Tavenner said the state has yet to verify that the hackers actually succeeded in stealing patient records, as they have claimed. If the theft is real, it would be among the most serious cybercrimes the state has ever faced.
"I don't think this is the last time we are going to see something like this happening,'' Del. L. Scott Lingamfelter (R-Prince William) said. "I have some question as to whether there is a comprehensive approach to cyber security in the commonwealth.''
Lingamfelter, who suggested that the hackers could be cyber-terrorists, called for a "top-down review." Other legislators and privacy advocates are questioning whether the database is needed in the first place.
The database was designed to help doctors and pharmacies track powerful narcotics and painkillers to reduce the abuse, theft and illegal sale of the controlled substances sold under labels that include OxyContin and Vicodin.
House Minority Leader Ward L. Armstrong (D-Henry), who was one of 40 delegates who opposed the creation of the database in 2003, said the alleged theft provides fresh evidence that the program should be scrapped. "That's the problem when you gather up private information in one location,'' he said.
As of October, 38 states had established similar programs. In Florida, legislators who passed a bill to create such a database are asking Gov. Charlie Crist (R) to veto it because of concerns stemming from Virginia's incident.
Virginia's database was set up as a pilot program in 2003 and went statewide in 2006. The American Civil Liberties Union of Virginia lobbied aggressively against it.
"We warned them at the time,'' said Kent Willis, the group's executive director. "The database was too big, all-encompassing. . . . It was not clear how they intended to protect this. [A breach] was almost inevitable."
The database includes only certain drugs such as oxycodone, Vicodin, morphine and Ritalin. Patient names and dates of birth are listed. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not. About 2,600 health-care professionals have access to the data using a password.
Tavenner said the state will begin notifying individuals within days if their information was in the database at the time of the breach. She said they were not able to do so earlier because it would have interfered with the investigation.
The program's computer system has been shut down since the incident, but the state is gradually restoring some functions.
"There was a lot of security on this database," Gov. Timothy M. Kaine (D) said. "It was a very sophisticated effort to do it. But that means we've got to create more sophisticated security, and we take that very seriously."
Staff researcher Meg Smith contributed to this report.
No comments:
Post a Comment