RICHMOND -- Virginia officials have yet to determine how severely a hacker compromised the state's prescription-monitoring database but are taking steps to restore other online services for health professionals.

The FBI and the Virginia State Police continue to investigate a security breach involving the prescription-monitoring program maintained by the Virginia Department of Health Professions, which licenses health care providers in the state. State officials said a hacker penetrated the program's Web site, accessed millions of prescription records and reportedly posted a note demanding $10 million for the data's return. The department recognized the unauthorized message on April 30 and shut down its computer systems to protect its data.

The criminal probe could take "a couple more weeks," state Secretary of Health and Human Resources Marilyn Tavenner said Tuesday, when she appeared before a regular meeting of the House Appropriations Committee. Tavenner said the FBI likened the investigation to "looking for a needle in a haystack."

"But they do have the ability to find the needle and they will," Tavenner said.

Meanwhile, VDHP is gradually restoring other online services such as license renewals, Tavenner said. The department has no evidence that any information other than the prescription database was compromised, she said.

Lawmakers on the committee questioned whether the department had adequate computer security measures in place, and one member said state government should launch a comprehensive review of all its information systems to protect against similar threats.

"We had all the safeguards in place, but we still got hacked," said Del. Joe May, R-Leesburg. "Would it be safe to say, or fair to say, that we underestimated the value of the data you're sitting on?"

But lawmakers were told that the VDHP ranked in the top 5 percent of state agencies in an audit of information security. All of the department's data had been properly backed up and backup files had been properly secured, officials said.

The prescription-monitoring program was established in 2003 to track the dispensing of controlled substances. It began as a pilot program in Southwest Virginia in response to widespread abuse of the prescription painkiller OxyContin.

Department officials said they have no evidence that any personal information is at risk because of the security breach, but will work with authorities to notify individuals with records in the database. The information stored in the database includes the names, addresses and birth dates of those receiving medications and the substance dispensed to them.

Tavenner noted that pharmacists are not required to enter a patient's Social Security number in the database, but some small, independent pharmacies do provide that information. Tavenner said officials will make "a proactive reach" to individuals with active Social Security numbers listed in the database because they would face a greater risk of identify theft.

Del. Scott Lingamfelter, R-Prince William County, suggested state government should launch a comprehensive review of its systems.

"Because I can tell you if you don't, this will not be the last time we see a breach," Lingamfelter said.

The head of the Virginia Information Technologies Agency, which manages the state's computer systems, indicated that some improvements will occur after the investigation of the hacker episode.

"What we will do, as a result of that, is fine-tune," said Lem Stewart, the agency's chief information officer.