Attacker reportedly holds Virginia patient data hostage

Virginia Prescription Monitoring Program site remains down after attacker allegedly breaks into the Web site and deletes data, demanding a ransom to get it back.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

May 4, 2009 5:33 p.m. PT

An attacker tried to extort $10 million after breaking into a Virginia state Web site used to track prescription drug abuse and allegedly holding the data hostage, according to a posting on the Wikileaks Web site.

The ransom message on the Virginia Prescription Monitoring Program site read:

"I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

The site, which was broken into late last week, was not accessible late on Monday.

Sandra Whitley Ryals, director of Virginia's Department of Health Professions, told The Washington Post that a criminal investigation is under way by federal and state authorities. An FBI spokesman declined to comment.