Thursday, October 23rd, 2014
Mostly True
Scott
"Hackers broke into Virginia's prescription-drug database (and) ... obtained more than 8.2 million patient records and a total of nearly 36 million prescriptions."

Rick Scott on Thursday, April 14th, 2011 in testimony before Congress.

Rick Scott cites Virginia drug database failure in congressional testimony

Florida Gov. Rick Scott appeared before Congress on April 14, 2011, to testify about the state's problem fighting prescription drug abuse and the proliferation of so-called "pill mills."

One way Florida is hoping to combat the over-prescribing of pain medications like oxycodone, Scott said, is by implementing a statewide drug database that will track prescriptions that pharmacists fill for patients. The hope is that law enforcement officials can spot doctors who are prescribing too many drugs, or patients who are hopping from doctor to doctor satisfy their fix.

Scott initially opposed the database, saying he was concerned about the privacy rights of law-abiding patients -- and asked the Legislature to repeal a 2009 law that created the computer monitoring program.

But his position put him at odds with leaders in the state Senate, whose support would have been required to nix the database. So the database is moving moving forward.

In his testimony before the House Energy and Commerce subcommittee, Scott repeated concerns about the privacy issues in such a system. He then highlighted a story about Virginia's prescription drug database to help make his point.

"As the database implementation moves forward, I must draw your attention to a serious risk that I believe databases like this pose to the privacy of individuals – most of whom are law-abiding individuals," Scott said, according to his prepared remarks. "As you know, in 2009 the Associated Press reported a massive privacy breach when hackers broke into Virginia’s prescription-drug database. They obtained more than 8.2 million patient records and a total of nearly 36 million prescriptions.

"So, while the database in Florida is brought online, I continue working with my legislative partners to find solutions that protect patient privacy."

We wanted to know if hackers did indeed break into Virginia's database, and if they obtained 8.2 million patient records.

News of the break-in to the database first appeared on WikiLeaks, a website founded to publish classified, secret and otherwise private government information. On April 30, 2009, the WikiLeaks website reported that the Virginia Prescription Monitoring Program (PMP) secure website was hijacked with a $10 million ransom demand. "In my possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions," the hacker wrote on the site. "For $10 million, I will gladly send along the password … If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid …"

The FBI acknowledged in a May 5 Associated Press article that it was investigating a breach of the system, and in a subsequent article said that WikiLeaks reported that 8 million patient records and 35 million prescriptions were accessed. The WikiLeaks report contained the ransom note, but did not include the posting of any patient records, said Diane E. Powers, a spokeswoman with the Virginia Department of Health Professions.

The following day, state officials confirmed that someone had hacked into the database. Virginia authorities said they would not pay the ransom.

"They really think they'll get anything out of this?" said then-Gov. Timothy M. Kaine. "Not a chance."

The ransom deadline came and went without noticeable incident, according to media accounts.

And most importantly for our check, state officials said it was unclear whether the hackers were able to view patient records, as they had claimed. Powers told PolitiFact Florida that the investigation remains open. No one has been caught in connection with the virtual break-in.

The Virginia Department of Health Professions did send a notification letter to all persons whose prescription records in the database contained a nine-digit number that could have been a Social Security number.

None of the database information was lost, Powers said, and the PMP continues to operate.

So a hacker did break into the database and posted a ransom note claiming to have obtained the records Scott referenced. But it's not clear whether the hacker really obtained access to the records. We rate Scott's claim Mostly True.