As we've mentioned several times in the past, successful compromise of a website doesn't just spell trouble for that site's visitors - it can lead to an internal compromise of the affected enterprise. Just ask the folks at http://www.pmp.dhp.virginia.gov, the Virginia state prescription drug monitoring program. Their website was compromised, patient records were deleted, and the attackers left a ransom note behind:

"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh:(For $10 million, I will gladly send along the password.

More details available here.