UPDATE:Express Scripts: Breacher Shows More Member Data
30 September 2009 - 8:10PM
Dow Jones News
Express Scripts Inc. (ESRX), the object of a 2008 extortion
attempt by someone threatening to expose the personal data of
patients in its drug plans, recently learned that the perpetrator
took steps to prove he or she possesses more member records than
those previously shown.
Since the threat was first made nearly a year ago, the St.
Louis-based company, one of the largest U.S. pharmacy benefits
managers, has sent notification letters to approximately 700,000
affected people, an Express Scripts spokeswoman said Wednesday.
Information wasn't immediately available on how many of those
letters stemmed from the latest move by the data breacher.
The Federal Bureau of Investigation informed Express Scripts in
late August "that the perpetrator had recently taken action to
prove that he possesses more members' records from the same period
as those identified in the 2008 extortion attempt," the company
said in an undated update on Express Scripts' support Web site.
"Express Scripts is in the process of notifying these members,"
the company said. "Express Scripts is unaware at this time of any
actual misuse of members' information, but we understand the
concern that this situation has caused our members."
Express Scripts spokeswoman Maria Palumbo told Dow Jones
Newswires that the person who illegally obtained member records
recently sent a data file to a law firm, which forwarded it to the
FBI. Palumbo wouldn't identify the law firm, other than to say it
was one that had filed a lawsuit against the company.
"This is a new development of the same incident that happened
last fall," said Palumbo. The breacher now has proven the
possession of additional records from that time, she explained.
The breach came to Express Scripts' attention in October 2008,
when the company received an anonymous letter threatening to expose
millions of member records on the Internet if an extortion demand
wasn't satisfied. The letter included personal data on 75 members
of the company's drug-benefit plans, including Social Security
numbers, addresses, birth dates and, for some, prescription
information. In November, some of Express Scripts' clients received
similar letters.
Express Scripts notified all affected members and the FBI, which
started an investigation. The company also established a $1 million
reward for information leading to the arrest and conviction of
those responsible for the data breach and extortion attempt, and
contracted with Kroll Fraud Solutions, part of a Marsh &
McClennan Cos. (MMC) unit, to assist members who believe they may
be victims of identity theft because of the incident.
Express Scripts has taken aggressive action to enhance security
operations and data handling procedures, said Palumbo.
After the most recent development, Express Scripts more than two
weeks ago sent a letter to the New Hampshire attorney general
saying it was notifying 1,771 individuals in that state alone that
their personal data had been obtained without authorization. The
letters sent to affected individuals indicate that some may be
former members of Express Scripts' prescription-benefit plans.
"We did send letters to members across the country," said
Palumbo.
The company said on its site that it "stands firm in our refusal
to give in to the demands of the extortionist and will continue to
cooperate fully with the FBI in their investigation."
The Express Scripts update and New Hampshire letter were
reported in mid-September on databreaches.net, or Office of
Inadequate Security, which follows such incidents.
Express Scripts, which doesn't typically release its total
membership, has enrollment in the "tens of millions," said
Palumbo.
The data breach occurs as the federal government and the
health-care and information-technology industries are pushing for
broad adoption of electronic health records and prescriptions and
other forms of health IT.
Express Scripts, the third-largest pharmacy benefits manager in
the U.S., will expand significantly after its planned acquisition
of health insurer WellPoint Inc.'s (WLP) in-house PBM, NextRx, this
year. The deal includes a 10-year contract for Express Scripts to
provide services to WellPoint, the largest corporate U.S. health
insurer by membership.
On the Web:
www.esisupports.com
http://doj.nh.gov/consumer/pdf/express_scripts.pdf
-By Dinah Wisenberg Brin, Dow Jones Newswires; 215-656-8285;
dinah.brin@dowjones.com