RICHMOND -- A hacker's reported access to patient prescription records from a state database is now being investigated by federal and state authorities, and Gov. Tim Kaine has called the incident "an intentional criminal act against the commonwealth by somebody who was trying to harm others."

"Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted ... and that we protect people whose data has been compromised," Kaine said Wednesday.

The FBI and Virginia State Police are investigating a possible security breach involving the prescription monitoring program maintained by the Virginia Department of Health Professions, which licenses health care providers in the state. The state established the prescription monitoring database in 2003 to track the sales of controlled substances, largely in response to the widespread abuse of the painkiller OxyContin in Southwest Virginia.

On April 30, department officials discovered an unauthorized message on the program's Web site and notified the state police and the Virginia Information Technologies Agency, which manages the state's computer systems.

WikiLeaks.org, an online clearinghouse for leaked documents, has reported that the monitoring program's Web site was penetrated by a hacker who claimed to have stolen records for more than 8 million patients and more than 35 million prescriptions. The hacker reportedly demanded $10 million for returning the data.

Department officials said Wednesday that they have no evidence that any personal information is at risk but recommended that anyone concerned about possible identity theft review personal financial statements and periodically review credit reports. The department's entire system has been shut down since April 30 to protect the security of the program's data, said Sandra Whitley Ryals, the department's director

"While DHP cannot comment directly on an ongoing investigation, we can assure the public that all precautions are being taken for DHP operations to continue safely and securely," Ryals said.

Ryals added that state officials "are satisfied that all data was properly backed up and that these backup files have been secured."

Virginia law requires notification of individuals whose personal information may have been accessed because of a computer security breach. The law states that notification must be provided "without unreasonable delay."

But Kaine said Wednesday that "there is an aspect of this investigation that plays into when notification can take place."

"The agency and others are doing as much as they can as quickly as they can without compromising the ability to find who's done this," he said.

The program began as a pilot project in Southwest Virginia to crack down on "doctor-shoppers" -- the term used to describe addicts and drug dealers who get prescriptions from multiple physicians. It was expanded to a statewide program in 2006.

"This particular database was one where it's very important to have real-time information, to have it in electronic form," Kaine said.

Kaine said state agencies will learn from any mistakes that were made in this case.

"But again, it's a criminal act," Kaine said. "You're never going to stop people from trying to commit crimes. But we'll take it as a learning opportunity and try to beef up whatever the particular window was that allowed this perpetrator to do something wrong, and we'll do something to stop it."

A 2008 report compiled by VITA identified 93 "security incidents" between July 2007 and September 2008 involving systems of 88 independent and executive branch agencies.

Of those, 30 were classified as the use of malicious software to modify or obtain state information. Most of those attacks were Web site defacements, such as posting of malicious content on Web servers, and the installation of malicious software on computers, according to the report.