Anatomy of a Breach

Anatomy of a Breach: Virginia's $10 Million Prescription Ransom — The Birth of Cyber Extortion

> series: anatomy_of_a_breach —— part: 006 —— target: virginia_dhp —— records: 8,257,378 —— ransom: $10,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2009 12 min read
data-breach ransomware cyber-extortion healthcare patient-data virginia prescription-data series
Breach #006

'I have your stuff.' $10 million or it goes to the highest bidder.

On 30 April 2009, visitors to the Virginia Prescription Monitoring Program website were greeted not by the expected login page but by a ransom note: 'ATTENTION VIRGINIA. I have your [expletive]! In my possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. For $10 million, I will gladly send along the password. You have 7 days to decide.'

The Virginia Department of Health Professions immediately suspended all its servers and called in the FBI and Virginia State Police. The prescription monitoring database tracked controlled substances — OxyContin, Vicodin, and other powerful narcotics — to prevent abuse and diversion. It held names, social security numbers, addresses, and detailed prescription histories for millions of Virginians. If the hacker's claims were true, it was one of the most serious healthcare data compromises in US history — and one of the most brazen acts of cyber extortion ever attempted.

Why This Matters
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The ransomware playbook — written in 2009.

The Virginia prescription ransom occurred years before ransomware became a household word. CryptoLocker, often cited as the first major ransomware campaign, would not emerge until 2013. WannaCry would not devastate the NHS until 2017. But the Virginia attacker's methodology — compromise the target, encrypt or delete the data, destroy the backups, demand payment — is exactly the playbook that ransomware groups use today. This was not technically ransomware in the modern sense (the encryption was done manually, not by automated malware), but it was the same concept, executed at a scale that foreshadowed the epidemic to come.

What made this case particularly alarming was the claim that the backups had also been compromised. If true, it meant the state of Virginia had no independent copy of its prescription monitoring data — a scenario that remains the nightmare outcome for any organisation hit by ransomware today. The importance of offline, immutable backups — a lesson the Virginia breach taught in 2009 — is still not universally implemented. Our healthcare sector analysis discusses why healthcare backup strategies remain inadequate.

The Failures

How a government health database was left exposed.

Internet-Facing Government Database
The Prescription Monitoring Program was accessible via the internet to approximately 2,500 healthcare professionals. The web application that provided access contained vulnerabilities that allowed the attacker to breach the system. Government web applications — particularly those handling sensitive health data — require the same level of security testing as any commercial platform. Our <a href="/penetration-testing/web-application">web application testing</a> routinely assesses public-sector applications against this standard.
No Encryption of Data at Rest
The patient records and prescription data were stored without encryption. When the attacker gained access to the database, the data was immediately readable — no additional barriers existed between access and exfiltration.
Backup Integrity Not Verified
The attacker claimed to have deleted both the primary data and the backups. Whether the backups were genuinely destroyed, stored on the same accessible infrastructure, or simply never tested is unclear — but the state's inability to quickly restore from backup suggests that backup procedures were inadequate. Backup verification and restoration testing remains a critical gap we identify in our <a href="/penetration-testing/infrastructure">infrastructure assessments</a>.
Insufficient Access Controls
With 2,500 authorised users accessing the system via the internet, the attack surface was substantial. The web application's authentication and authorisation mechanisms were not robust enough to prevent the attacker from gaining administrative access to the underlying database.
What Testing Would Have Caught

Web application testing would have prevented this.

Vulnerability What Testing Would Have Found
Web application vulnerabilities A web application penetration test of the Prescription Monitoring Program would have identified the vulnerabilities the attacker exploited to gain access — before they were exploited in anger.
Database access from web tier An infrastructure test would have assessed whether the web application could access the database directly, without appropriate segmentation, input validation, or privilege separation.
Backup accessibility A security assessment would have tested whether backups were stored on infrastructure accessible from the same network as the primary systems — and whether they could be deleted by an attacker who compromised the production environment.
No monitoring or alerting The attacker replaced the website's homepage with a ransom note and allegedly deleted millions of records — without triggering any alerts. SOC in a Box monitors for exactly these indicators: website defacement, bulk data deletion, and anomalous database activity.
The Ransomware Parallel

From Virginia 2009 to ransomware 2025.

The Virginia prescription ransom was an isolated, manual operation by a single attacker. Today, ransomware is an industrialised criminal enterprise conducted by organised groups with dedicated development teams, affiliate programmes, and customer support operations. But the core methodology has not changed: gain access, encrypt or steal the data, destroy the backups, demand payment. The Virginia attacker did manually what REvil, LockBit, and BlackCat do automatically at scale.

The defence against both is the same: prevent initial access through penetration testing and Cyber Essentials certification, detect intrusions early through continuous SOC monitoring, maintain immutable offline backups, and have a tested incident response plan ready for when prevention fails. The organisations that implemented these controls in 2009 were ahead of the curve. The organisations that have not implemented them by 2025 are overdue.

Ransomware Resilience

Is your organisation prepared for a ransomware attack?

Our <a href="/penetration-testing">penetration testing</a> identifies the vulnerabilities that ransomware groups exploit. Our <a href="/cyber-essentials">Cyber Essentials certification</a> establishes the baseline controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects intrusions before encryption begins. And <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence's incident response service</a> is there when you need it most.

Commission a Test Next: T-Mobile UK Insider
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2011

Anatomy of a Breach: NHS Trust Fines 2011 — The Pattern That Would Not Break

Breach #034. Throughout 2011, UK NHS trusts continued to suffer data breaches and ICO enforcement action at an alarming rate — faxes sent to wrong numbers exposing palliative care patients, laptops lost with medical records, and the ongoing fallout from the Brighton hard drives on eBay. The ICO's new monetary penalty powers, granted after the HMRC scandal, were being exercised repeatedly against the NHS. A pattern of systemic failure in the sector that holds the UK's most sensitive data.

data-breach nhs
12 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 October 2022

Anatomy of a Breach: Medibank — 9.7 Million Australians' Health Data Published After Ransom Refused

Breach #166. In October 2022, Australian health insurer Medibank disclosed that attackers had stolen the personal and health data of 9.7 million current and former customers — approximately 40% of Australia's population. When Medibank refused to pay the ransom, the attackers — linked to the Russian REvil group — published sensitive health claims data on the dark web, including records related to mental health treatment, drug and alcohol rehabilitation, pregnancy terminations, and HIV status. The publication of intimate health data as punishment for non-payment represented the darkest evolution of the double-extortion ransomware model.

data-breach medibank
14 min read
All Posts Get in Touch