Nearly one year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.
Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed. Now the company says that about 700,000 have been notified.
The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren't paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.
Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that "there have been no reported cases of misuse of member information resulting from the incident."
In a June court filing, the company said that three of its customers have also been approached by the extortionists.
Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.
Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.
Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.
"In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt," the company said on its Web site. "Express Scripts is in the process of notifying these members."
In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.
It's troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Databreaches.net Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. "Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn't acquire the entire database, it would seem prudent to notify everyone whose records were in the database," she wrote in an e-mail interview.
"This breach is certainly not the largest breach involving personal health information that we've seen," she said. "But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included."