700,000 potential victims notified – months after hacking incident

Nearly a year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.

Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers’ records were accessed. Now the company says that about 700,000 have been notified.

Related stories:

Three ways to protect yourself from a Heartland-style data breach

Four ways SMBs can prevent data loss without breaking the bank

The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren’t paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.

Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that “there have been no reported cases of misuse of member information resulting from the incident.”

In a June court filing, the company said that three of its customers have also been approached by the extortionists.

Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.

Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.

Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.

“In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt,” the company said on its Web site. “Express Scripts is in the process of notifying these members.”

In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.

It’s troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Databreaches.net Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. “Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn’t acquire the entire database, it would seem prudent to notify everyone whose records were in the database,” she wrote in an e-mail interview.

“This breach is certainly not the largest breach involving personal health information that we’ve seen,” she said. “But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included.”

Source: Computerworld

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs