2nd UPDATE: Express Scripts: Extortionist Has Even More Data
September 30 2009 - 5:43PM
Dow Jones News
Express Scripts Inc. (ESRX), the object of a 2008 extortion
attempt by someone threatening to expose personal patient data,
started notifying hundreds of thousands of members recently after
the extortionist showed evidence of possessing more records than
previously thought.
Since the threat was first made public nearly a year ago, the
St. Louis-based company, one of the largest U.S. pharmacy benefits
managers, has mailed notification letters to approximately 700,000
people, an Express Scripts spokeswoman told Dow Jones Newswires on
Wednesday. Most of those letters stemmed from the latest move by
the extortionist, as only a few hundred patients received notices
last fall.
"These are individuals whose information was contained in data
records that we saw [were sent] from the extortionist," said
company spokeswoman Maria Palumbo.
The Federal Bureau of Investigation informed Express Scripts in
late August "that the perpetrator had recently taken action to
prove that he possesses more members' records from the same period
as those identified in the 2008 extortion attempt," the company
said in an update posted on its member-support Web site in early
September.
"Express Scripts is in the process of notifying these members,"
the company said. "Express Scripts is unaware at this time of any
actual misuse of members' information."
The person who illegally obtained member records recently sent a
data file to a law firm, which forwarded it to the FBI, according
to Palumbo, who wouldn't identify the law firm, other than to say
it was one that had filed a lawsuit against the company.
"This is a new development of the same incident that happened
last fall," said Palumbo. The thief now has proven the possession
of additional records from that time, she explained. The latest
development did not include any direct contact with Express
Scripts, she said. The data looks consistent with how Express
Scripts' data appeared in 2006, according to Palumbo.
The breach came to Express Scripts' attention in October 2008,
when the company received an anonymous letter threatening to expose
millions of member records on the Internet if an extortion demand
wasn't satisfied. The letter included personal data on 75 members
of the company's drug-benefit plans, including Social Security
numbers, addresses, birth dates and, for some, prescription
information. In November, some Express Scripts clients received
similar letters involving data on a few hundred individuals.
Express Scripts notified all affected members and the FBI, which
started an investigation. The company also established a $1 million
reward for information leading to the arrest and conviction of
those responsible for the data breach and extortion attempt, and
contracted with Kroll Fraud Solutions, part of a Marsh &
McClennan Cos. (MMC) unit, to assist members who believe they may
be victims of identity theft because of the incident.
"We do feel like we've done what we need to to ensure that an
incident like this will not happen again," said Palumbo.
After the most recent development, Express Scripts sent a letter
to the New Hampshire attorney general saying it was notifying 1,771
individuals in that state alone that their personal data had been
obtained without authorization.
"We did send letters to members across the country," and the
company notified all 50 state attorneys general, Palumbo said.
The company said on its site that it "stands firm in our refusal
to give in to the demands of the extortionist and will continue to
cooperate fully with the FBI in their investigation."
The Express Scripts update and New Hampshire letter were
reported in mid-September on databreaches.net, also known as the
Office of Inadequate Security, which follows such incidents.
Express Scripts, which doesn't typically release its total
membership, has enrollment in the "tens of millions," said
Palumbo.
The data breach has occurred as the federal government and the
health-care and information-technology industries are pushing for
broad adoption of electronic health records and prescriptions and
other forms of health IT.
Express Scripts, the third-largest pharmacy benefits manager in
the U.S., will expand significantly after its planned acquisition
of health insurer WellPoint Inc.'s (WLP) in-house PBM, NextRx, this
year. The deal includes a 10-year contract for Express Scripts to
provide services to WellPoint, the largest corporate U.S. health
insurer by membership.
On the Web:
www.esisupports.com
http://doj.nh.gov/consumer/pdf/express_scripts.pdf
-By Dinah Wisenberg Brin, Dow Jones Newswires; 215-656-8285;
dinah.brin@dowjones.com