Express Scripts: 700,000 notified after extortion

Data was sent to an unidentified law firm

Nearly one year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.

Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed. Now the company says that about 700,000 have been notified.

The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren't paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.

Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that "there have been no reported cases of misuse of member information resulting from the incident."

In a June court filing, the company said that three of its customers have also been approached by the extortionists.

Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.

Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.

Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.

"In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt," the company said on its Web site. "Express Scripts is in the process of notifying these members."

In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.

It's troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Databreaches.net Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. "Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn't acquire the entire database, it would seem prudent to notify everyone whose records were in the database," she wrote in an e-mail interview.

"This breach is certainly not the largest breach involving personal health information that we've seen," she said. "But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included."

Tags ToyotaExpress ScriptsfbiFinkelstein Thompson

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?