A few weeks ago, the records of 8 million patients were stolen from Virginia’s prescription-monitoring system when a computer hacker broke into it and demanded a $10 million ransom.
Now, some Florida lawmakers are using the incident to try to persuade Florida Gov. Charlie Crist to veto a bill that Kentucky officials hope will shut down the pill pipeline between Florida and Kentucky.
The bill, already passed by the legislature, would create a Florida prescription monitoring system designed to dissuade hundreds of Kentuckians from traveling to Florida to doctor-shop.
Kentucky Lt. Gov. Daniel Mongiardo, who asked the Florida General Assembly to pass the legislation, said he would call to encourage Crist to sign the bill.
Digital Access For Only $0.99
For the most comprehensive local coverage, subscribe today.
“This legislation is too important to be derailed by a criminal,” Mongiardo said, referring to the hacker. “It’s too important for Kentucky. This is a major piece of legislation that we have to have in order to protect our citizens.”
Kentuckians are traveling by cars, vans and planes to Florida, where doctors prescribe hundreds of powerful pain pills for cash. Several Kentuckians have died of overdoses of pills they got in Florida.
The prescriptions are obtained legally, but people often bring them back to be sold illegally. The trips are an effort to escape the Kentucky All Schedule Prescription Electronic Reporting system, known as KASPER, which tracks who prescribes, dispenses and receives the drugs.
Kentucky officials have said they’ll help Florida get its program off the ground with the software they use for KASPER.
But on April 30, the same day that the Florida General Assembly passed legislation to create a monitoring system, the hacker posted a message on Virginia’s monitoring system saying he had stolen millions of prescription records. The FBI is searching for the hacker, who said that if he didn’t get $10 million in ransom, he would sell the information to the highest bidder.
Virginia’s system has not been operational since the hacker made the threat, said Kathy Siddall, a spokeswoman for the Virginia Department of Health Professions.
The database does not contain patient medical histories, but it does list names, addresses and, in some cases, Social Security numbers of patients who received prescriptions for painkillers such as OxyContin.
Lobbying the governor
The bill for the Florida system should arrive on Crist’s desk within the next two weeks. He will have 15 days to decide whether to sign it, press secretary Sterling Ivey said Wednesday.
Thirteen lawmakers — who either voted against the bill or didn’t vote — sent Crist a letter earlier this month asking him to veto the bill because of what happened in Virginia.
“This request is based on a well-founded fear that the sensitive personal and medical information contained in such a database would be susceptible to cyber terrorists and criminals,” they wrote in the May 7 letter.
Ivey told the Herald-Leader on Wednesday that Crist hasn’t taken a position on the bill yet.
“It’s something that Florida needs to be able to track prescription users to ensure that no one is abusing the system,” he said. “But he wanted to review the final language in the bill.”
Florida is one of only 12 states without a prescription-monitoring system. Attempts to pass a law have failed seven times in the state legislature.
No ransom in Virginia
Mongiardo said the hacker incident doesn’t mean prescription-monitoring systems don’t work.
Kentucky’s system has never lost data because of security problems, said Beth Fisher, a spokeswoman for the Kentucky Cabinet for Health and Family Services.
“The Cabinet has a dedicated information security staff and has implemented a number of controls to help monitor any security problems,” Fisher said. The Cabinet also hires outside security consultants from time to time, she said.
Kentucky officials would not provide further details about the KASPER security system.
“Unfortunately, discussing this would only make the system vulnerable,” Fisher said.
Virginia’s Web site says that officials know of no identity theft that has occurred because of the hacker, but that they are warning citizens to be on the alert for the next several months.
Virginia Gov. Tim Kaine has said that the state will not pay the ransom.
And Kaine spokesman Gordon Hickey said that Virginia’s governor thinks prescription monitoring programs are effective.
“The governor is not dissuading anyone from using such a system,” Hickey said.