The Express Scripts data breach comes with an alarming twist.
Yesterday, the St. Louis-based pharmacy benefits manager revealed that it received an anonymous letter in early October demanding that it pay up or risk exposure of the records of millions of patient members on the Internet. Express Scripts did not say if the extortion letter specified an amount of money. The anonymous letter included the personal information of 75 members, including their names, dates of birth, Social Security numbers and, in some cases, their prescription information, the company said.
In its announcement yesterday, the company said it turned over the letter immediately to the FBI, which is investigating the threat, and hired outside experts to help in its own investigation of the data breach. The company said the 75 members singled out in the letter have been notified, and that it is unaware at this time “of any actual misuse of the information.”
A company website on the data breach and extortion letter states that Express Scripts staff members believe they “have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls.”
One of the largest pharmacy benefit management companies in the country, Express Scripts provides prescription benefits to about 50 million people. The website said the company deploys a variety of security systems designed to protect members’ personal information from unauthorized access.
“However, as security experts know, no data system is completely invulnerable,” said George Paz, chairman and CEO.
“We have been conducting a thorough investigation since we received this threat, and we are taking it very seriously,” Paz said. “We are cooperating with the FBI and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act.”
The New York Times said the company has not ruled out the possibility that the data breach was an inside job.
A Wall Street Journal blog says this is not the first extortion attempt involving health records.
“Just last month, the FBI announced the arrest of some guy who allegedly stole a computer server from the Indianapolis office of Medical Excess LLC, a subsidiary of AIG, that contained “personally identifying and health care sensitive information” of more than 900,000 people. The man is also accused of trying to extort AIG for $208,000 under a threat to release the data on the Internet, the FBI said. A spokesman for AIG told us that to the best of the company’s knowledge, no personal information was disclosed.”