As I had suggested previously in several tweets, those involved in the hack of Pharmacist.com may not have understood some of the data were that they acquired in the hack. They certainly didn’t understand the nature of their target. In a statement disclosing the hack, reproduced on CyberWarNews.info, the hackers had written:
In an effort to make a mockery off of our friends inside of the US government we are releasing personal information and credit card details from government officials.
We strongly advice you to make your website more secure, because if we didn’t find this information, black hats would have…
We also found 16000 records of patients in ur www root folder! RU serious?!. We decided to filter out all non-governmental information, don’t worry, your information is safe.
A professional trade association is not a government entity and although some people employed by government may belong or be members, attacking trade organizations is not an attack on government.
And although the hackers claimed to have acquired 16,000 patients’ records that they did not dump in the torrent they released, I have not found any confirmation that any patient records were involved at all. Nor would it make any sense for a professional trade organization to have such information. The only type of personal info on patients that an organization like this might obtain would be if they had a forum or subdomain that allowed members of the public to ask questions, where some people might reveal some of their personal info in an attempt to get info or help. I don’t think that was the case in Pharmacist.com, however.
The association has released the following press release:
Memorial Day incident result of unauthorized data access
APhA today successfully restored its website, www.pharmacist.com. The website was accessed and defaced by an unknown and unauthorized individual or group on May 28, according to a May 31 statement to the media.
To show appreciation for its visitors, APhA made APhA DrugInfoLine (www.aphadruginfoline.com) available to everyone, in its entirety, until June 20, 2012.
“We thank our members for their patience during this trying time,” Thomas E. Menighan, BSPharm, ScD, MBA, APhA CEO/Executive Vice President, said. “We understand how important pharmacist.com is to our members in their search for pharmacy information, education, resources, and networking. APhA considers any unauthorized access to be serious, and has been working nonstop to ensure the website was secured and back online in a timely manner.”
As soon as APhA was notified of the incident, staff shut down pharmacist.com and its servers to protect the personal information of members, donors, and visitors. Law enforcement was notified, and APhA staff members began working with forensic experts and investigators to secure website data and member records. The team then developed a plan to reinstate service to its members and customers and to determine the full extent of the incident.
In a set of frequently asked questions (FAQs) posted today on the relaunched website, APhA said the unauthorized person(s) had obtained “some names, physical addresses, and email addresses” of pharmacist.com users. These were posted on a file-sharing website. To date, APhA’s forensic investigation has found no evidence of sensitive, personally identifiable information, such as credit card data, being accessed or used, but will continue to monitor and react appropriately. Because e-mail addresses were obtained, APhA encouraged members and other pharmacist.com users to be vigilant in watching for “phishing” e-mail messages that might ask them for sensitive, personal information. “APhA will never ask for your account password, credit card number, bank account number, login credentials, or any other personal information in an e-mail,” APhA said in the FAQs.
APhA elections, which began on May 23, were not affected by the pharmacist.com outage. Voting is conducted on a separate website, and votes were recorded accurately for members who cast ballots during the pharmacist.com outage. The electronic Voter’s Guide, which contains candidates’ information and statements, was not available when pharmacist.com was first taken down. Candidate information was later added to the election site, and balloting continued throughout this process uninterrupted.
On the advice of forensic consultants, APhA said that it has made further enhancements in the security measures used on pharmacist.com. “The nature of this investigation limits what we can say about the attack itself, and prudence dictates that we not publicize the measures being taken to prevent future attacks,” APhA noted in the online FAQs.
Related resources on pharmacist.com
All that said, I would love to see a sample of the records the hackers think are patient ecords to see what kinds of information were involved. If Pharmacist.com has neglected to disclose that patient records were involved, that would be serious, but I do doubt that there were patient records involved.
Although the hack did disclose over 28,000 visitors, donor’s, or members’ email addresses and info, as far as data dumps go, this one is not particularly sensitive. See Identity Finder’s analysis of the data dump, which matches what I had observed in going through the torrent.
Updated June 23: I received an email from one of the hackers, who included screen shots of the data records in the file they claim to have found in the root directory. As I suspected, the records are not patient records and contain no PHI or medical information. They appear to be more of contact information for 16,531 individuals who generally provided their professional addresses and contact information. That said, I commend the hacker(s) for restraint in not dumping what they thought were patient records. Why these records were in a file in the root directory is not clear, but hopefully pharmacist.com has reviewed and fixed its security.