530,000 Virginia patients individually warned of SSN hack

Officials working for the State of Virginia have announced that they are sending breach notifications to over half a million patients whose Social Security Numbers (SSNs) may have been compromised.

The warnings, which are being sent to 530,000 people whose prescription records may have included the sensitive information, come in the wake of a hacker gaining access to the Prescription Monitoring Program computer system, where they planted a rather fruity message demanding a $10 million ransom.

As yet, the hacker has not been identified.

Press release from Virginia Department of Health Professions

Sign up to our free newsletter.
Security news, advice, and tips.

According to media reports, the compromised database contains details of over 35 million prescriptions, including details such as the patient’s name, address and date of birth, and the name and quantity of the drug prescribed.

In addition, an optional field in the database was used to carry the patient’s identifying number. Where that number is nine digits long (which could make it a SSN), officials are sending a warning to the indvidual concerned.

Some questions spring to mind at this point.

Why don’t the authorities know if the nine digit identifying number is the patient’s social security number or not?

And why aren’t patients who don’t have a nine digit identifier being also notified? After all, it appears that hackers may have their name, address, date of birth and other personal information that could be handy for an identity thief even if a SSN isn’t present.

Whatever the answer to these questions, affected members of the public are advised to watch their bank and credit card statements for irregularities.

News that State of Virginia is undertaking this enormous notification process pours cold water over earlier speculation that perhaps the hacker had not managed to access the database and had only managed to deface the website.

It seems clear now that a serious security breach did occur – although the hacker’s claim to have wiped the data and all backups appear to have been false.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.