Wednesday, May 06, 2009
Kaine calls state database incident an "intentional criminal act"
Gov. Tim Kaine said today that a hacker’s reported access to patient prescription records from a state database was “an intentional criminal act against the commonwealth by somebody who was trying to harm others.”
State and federal authorities are investigating the possible theft of records from a database maintained by the Virginia Department of Health Professions, which licenses health care providers in the state. State officials discovered an apparent security breach last Thursday and shut down access to much of the department’s Web site.
WikiLeaks.org, an online clearinghouse for leaked documents, has reported that the Web site for the state’s prescription monitoring program was penetrated by a hacker who claimed to have accessed records for more than 8 million patients and more than 35 million prescriptions.
The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.
“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.
Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”
Kaine said today that “there is an aspect of this investigation that plays into when notification can take place.”
“The agency and others are doing as much as they can as quickly as they can without compromising the ability to find who’s done this,” he said.
The state established the prescription monitoring database in 2003 to track the sales of addictive drugs, largely in response to the widespread abuse of the painkiller OxyContin in Southwest Virginia.
“This particular database was one where it’s very important to have real-time information, to have it in electronic form,” Kaine said.
Kaine said the Virginia Information Technologies Agency, which oversees the state’s computer systems, and other agencies will learn from any mistakes that were made in this case.
“But again, it’s a criminal act,” Kaine said. “You’re never going to stop people from trying to commit crimes. But we’ll take it as a learning opportunity and try to beef up whatever the particular window was that allowed this perpetrator to do something wrong and we’ll do something to stop it.”
State and federal authorities are investigating the possible theft of records from a database maintained by the Virginia Department of Health Professions, which licenses health care providers in the state. State officials discovered an apparent security breach last Thursday and shut down access to much of the department’s Web site.
WikiLeaks.org, an online clearinghouse for leaked documents, has reported that the Web site for the state’s prescription monitoring program was penetrated by a hacker who claimed to have accessed records for more than 8 million patients and more than 35 million prescriptions.
The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.
“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.
Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”
Kaine said today that “there is an aspect of this investigation that plays into when notification can take place.”
“The agency and others are doing as much as they can as quickly as they can without compromising the ability to find who’s done this,” he said.
The state established the prescription monitoring database in 2003 to track the sales of addictive drugs, largely in response to the widespread abuse of the painkiller OxyContin in Southwest Virginia.
“This particular database was one where it’s very important to have real-time information, to have it in electronic form,” Kaine said.
Kaine said the Virginia Information Technologies Agency, which oversees the state’s computer systems, and other agencies will learn from any mistakes that were made in this case.
“But again, it’s a criminal act,” Kaine said. “You’re never going to stop people from trying to commit crimes. But we’ll take it as a learning opportunity and try to beef up whatever the particular window was that allowed this perpetrator to do something wrong and we’ll do something to stop it.”
