An attack on the Virginia Department of Health Professionals (VDHP) website, resulted in a prescriptions website being hacked and a $10m ransom demand for the return of millions of allegedly stolen patient records.

US press reports and blogs say the attack involved over eight million electronic patient records and some 35m prescription records. That an attack had happened was confirmed by VDHP which immediately suspended all its servers.

According to an Information Week report, the alleged attack saw a hacker claim to download eight million patient records, erase the records from the VDGP servers, and then demand a $10m ransom for the return of the files.

The Wikileaks website reported that the Web site for the Virginia Prescription Monitoring Program had been defaced with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file. VDHP says proper backups were in place.

According to a report by the Richmond Times Dispatch, on 31 April all 36 servers storing the state agency’s records were shut down after a midday message popped up on some computer screens that claimed the system was being hacked.

Sandra Whitley Ryals, director of the Virginia Department of Health, said in a 6 May statement. “A criminal investigation is currently underway regarding a potential security breach of the Virginia Department of Health Profession’s (DHP) Prescription Monitoring Program on Thursday, April 30.”

The statement continued: “The entire DHP system was shut down since Thursday to protect the security of the program data, and state authorities including the Virginia Information Technologies Agency (VITA) and the Virginia State Police were notified immediately upon identifying the potential breach. We are satisfied that all data was properly backed up and that these backup files have been secured.”

The claimed attack is the second to be reported by the Wall Street Journal in the past year. In October 2008, Express Scripts, a processor of pharmacy prescriptions, said extortionists were threatening to disclose the personal and medical information of millions of US citizens if the company failed to meet payment demands. Express Scripts is now said to be offering a $1m reward for information leading to the arrest and conviction of those responsible.