I can tell you at least one thing your medical record contains: your SSN number. The threat here is not that someone will learn that you were in for colon surgery last Tuesday when you said you were bowling. The threat here is that your name, address, SSN, etc. will be sold to a 3rd party, who will then commit credit fraud using your personal information.

This cannot happen on a large scale without computerized medical records. Someone strolling into a medical practice will have a lot less luck stealing IDs from the paper records than someone hacking into a database.

It's gotten better but it's nowhere near the level of GMails. My guess is we could flood his box within a single day so badly that he'd be forced to shut down his, now infamous, email.

City of Richmond hires 'trained employees' who came from 6 month 'career colleges' (see ITT, Beta Tech 'centura college' and ECPI).. They have gotten what they paid for: People whose main server experience involved food.

I interviews for a job at city hall in Richmond during the 'interview" an interviewer told me what I was CURRENTLY doing at my job was not possible. I sat in a 12 person interview explaining freaking imaging software to their IT staff!! The guy swore that it wasnt possible to image unlike machines to USB devices. He used the 'raising my voice' makes me right technique. I guess sysprep and acronis are 'fictional technology'... Jackasses.

what a fucking idiot. Thanks for disclosing the email address you use. As if The state cant get Yahoo to disclose where that mailbox is accessed from.

What a dumb tool he is.

Now I'm sad because that's probably not going to happen.

There are all sorts of shadowy places where identity thieves and major ID theft rings hang out. It would be very easy for the guy, if he knows where to look, to find someone, and most likely someone that another person he knows can vouch for, that would gladly pay big bucks for reliable data that includes DL and SSN. In spite of anti--money-laundering laws, there are still many ways to move and launder funds to make them nearly impossible to trace.

He could actually pull it off... but he's got balls of steel for having the willingness to go up against this sort of opponent, sorta like the kid that broke into Sarah Palin's Yahoo account... except this guy seems, for now, to be at least a little smarter :)

Odds are that data is on the market allready. He can collect from other crooks but not from a state gov.

@ParanoidGeek: When our exchange server crashed last week we lost about half of our emails from our "good backup" Note to self never again trust a back up and check all user for cache mode. Note to bosses we need new servers and upgrades.

@1234tu: bahahahaha

They are just incompetents that don't know how to setup a server. They probably install Windows server, and went, "ok it's all done", without any configuration. And who puts a backup online either-way? this should be a big sign on how they know nothing about servers.

My guess is that instead of contracting a firm that handle server configuration with trained competent employees, they probably put newspaper ads to hire some IT's at low wage, to save a few dollars and take advantage of corrupt system (probably pocket the difference).

@frodolives35: Told them duh

@grumpygirl:Happened to my wife last month they still have not found it. She just walked out when they handed her another stack of paperwork to fill out. On the 1st page ssn info she tolg them they allready lost the info once why would she trust them with it again.

Hackers may be smart, but all it takes is a small mistake to get caught big time.

Where I work, I manage medical records - both paper and now electronic - and you're absolutely correct. It's amazing how many paper charts get lost on a regular basis.

acctually,he should be in the world book of records for a terriost with the most hostiges,he has over 8 million .The sad thing is that the ransom will come from the general public in the form of more taxes.Myself,I think when he is caught,and I think he will be, he should be hung by the neck till dead as an example to others who might try such a thing.Why should we have to pay for a criminal's room and board for life,and that goes for any crook with a life sentence.
"kill em all" and save the money.

I've never seen a scalpel, heart monitor, or prescription that prompts you for your SSN before continuing like a Windows product key.

What the person did is criminal and should be charged to the fullest extent. It's one thing to find a vulnerability and report it. It's an entirely other matter to make the records unavailable and then threaten release for payment.

But Is his shit secure.

Sorry first thing to come to mind after reading I have your shit.

@chiieddy: Tor, proxies, etc. more or less make that impossible if they know what they're doing.

Until companies and local governments start taking this seriously it will only get worse.

It would have been impossible for me to say it better myself.

Now, imagine all that, plus proprietary non-inter-compatible file formats.

And how hard would it be to catch this guy? How many 13 year olds are out there selling 8 million patient records to the highest bidder?

(Convoluted grammar! I'm sorry.)

@joeblevins: It is possible they have never actually restored the backup before. It happens a lot.

I'm not an IT expert - what does "restored the backup" mean? Are you saying that it is really a possibility that they don't have some kind of a daily backup stored in a safe somewhere? These guys probably have a 50 page procedure document just for backups, and another one for disaster recovery. Unless someone just chose not to do their job for a few months I don't see how this could happen.

Wow...two Office Space references in one day (see: magazine subscription story comments)...this is a GOOD day, indeed.

It would have been double-win if the hacker had demanded a stapler in his ransom note.

@Jozef: If that was a serious offer I would say that you just committed a felony....

Disclaimer: I'm an IT security professional (insert witty "don't try this at home" line here!)

@octopede: Forget the hands.

This piece of slime has demonstrated that he no longer deserves to co-exist on this rock. Go for the head.

You can't fix someone that broken. When you release him he'll be just as worthless.

@1234tu:

It is possible they have never actually restored the backup before. It happens a lot.

If they are really so retarded that he was able to delete their only backup he should be pardoned, and given the $10M as a reward. Seriously - no way. They have backup. One thing the govt. CAN do well is write and follow procedure documents.

They should send him a cashiers check for $15mil, have him deposit it and send the extra $5mil back.

That's what trials are for. The penalty for something like this should be Saudi-style - having your hands removed and being physically silenced (i.e., cutting the laryngeal nerves).

Obviously that's very extreme, but I'm quite sick of hackers (the evil ones) trying to extort money in return for not ruining millions of people's lives.

@key2616: Awesome. I will send him an email offering him $5 to be able to punch him in the face. He can consider it practice for the beating he's going to get just before he gets raped in prison.

Nice! LOL!

@UrIt: nothing you but on a yahoo profile has to be verifioed and any IP logged is likely through aa nest of proxies and TOR servers. It isn't impossible but they'd have better luck putting money in teh account and then tracking the money.

+2

+1

Everyone who advocates for those records needs to remember that stupid people will administer them. This means no offsite backups, passwords that are 1-2-3-4, machines left out and stolen...

Either this hacker is a whizkid or a total idiot.

Awesome. I will send him an email offering him $5 to be able to punch him in the face. He can consider it practice for the beating he's going to get just before he gets raped in prison.