Home | News Alerts | Pharmacy Benefits Co. Extortion Plot Vast

Pharmacy Benefits Co. Extortion Plot Vast

700,000 notified of record heist

October 8, 2009

It turns out there were far more records accessed in the Express Scripts data heist than previously realized.

The company, one of the largest U.S. pharmacy benefits managers, has mailed approximately 700,000 data breach notification letters in response to additional information in the case, Dow Jones Newswires reported.

“In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt,” the company stated on its web site.

“This is a new development of the same incident that happened last fall,” company spokeswoman Maria Palumbo told Dow Jones.

The St. Louis-based company sent only a few hundred notices last fall after being sent an anonymous extortion letter that laid out a threat to expose millions of member records online. The letter, which was sent in October 2008, included personal data (including Social Security numbers, addresses and birth dates) for 75 drug-benefit plan members.

In November 2008, Toyota, an Express Scripts customer, received a letter that threatened the release of information on that company’s employees and their dependents, Computerworld reported, citing a June filing in a class-action suit brought on behalf of affected members.

Refusing to negotiate

Express Scripts said in a FAQ that it “stands firm in [its] refusal to give in to the demands of the extortionist.” The company has offered a $1 million reward in the case.

Express Scripts has not said how the information was accessed. “Details regarding the situation are limited,” company vice president Janice C. Forsyth stated in a Sept. 14 letter [pdf] to New Hampshire’s Attorney General. She added, “we remain unaware of any actual misuse of the information.”

The company meanwhile has “taken aggressive action to enhance its security operations and data handling procedures.” Palumbo told Dow Jones: “We do feel like we’ve done what we need to ensure that an incident like this will not happen again.”