TotalCIO

Nov 7 2008   11:50AM GMT

Express Scripts data breach includes demand for money; FBI brought in

Linda Tucci Linda Tucci Profile: Linda Tucci

The Express Scripts data breach comes with an alarming twist.

Yesterday, the St. Louis-based pharmacy benefits manager revealed that it received an anonymous letter in early October demanding that it pay up or risk exposure of the records of millions of patient members on the Internet.  Express Scripts did not say if the extortion letter specified an amount of money. The anonymous letter included the personal information of 75 members, including their names, dates of birth, Social Security numbers and, in some cases, their prescription information, the company said.

In its announcement yesterday, the company said it turned over the letter immediately to the FBI, which is investigating the threat, and hired outside experts to help in its own investigation of the data breach. The company said the 75 members singled out in the letter have been notified, and that it is unaware at this time “of any actual misuse of the information.”

A company website on the data breach and extortion letter states that Express Scripts staff members believe they “have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls.”

One of the largest pharmacy benefit management companies in the country, Express Scripts provides prescription benefits to about 50 million people. The website said the company deploys a variety of security systems designed to protect members’ personal information from unauthorized access.

“However, as security experts know, no data system is completely invulnerable,” said George Paz, chairman and CEO.

“We have been conducting a thorough investigation since we received this threat, and we are taking it very seriously,” Paz said. “We are cooperating with the FBI and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act.”

The New York Times said the company has not ruled out the possibility that the data breach was an inside job.

A Wall Street Journal blog says this is not the first extortion attempt involving health records.

“Just last month, the FBI announced the arrest of some guy who allegedly stole a computer server from the Indianapolis office of Medical Excess LLC, a subsidiary of AIG, that contained “personally identifying and health care sensitive information” of more than 900,000 people. The man is also accused of trying to extort AIG for $208,000 under a threat to release the data on the Internet, the FBI said. A spokesman for AIG told us that to the best of the company’s knowledge, no personal information was disclosed.”

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Linda Tucci
    Express Scripts has lost control of health- and credit-realated data on millions of Americans, in what was almost certainly an inside job by one of their employees. Many levels of error and liability could exist on Express Scripts' part, from failing to take reasonable steps prevent unauthorized access to privacy data, to inadequate background checks of employment applicants. I went to the Express Scripts website and saw little to inspire confidence, were I one of the victims of the access violation. Perhaps Express Scripts should offer, unconditionally, to indemnify anyone whose data was compromised. THAT would inspire confidence, and is the kind of step which should be the norm (or eventually, it will be mandated) for the behavior of information providers like Express Scripts.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: