Express Scripts extortion, potentially millions affected
Technorati Tag: Security Breach
Date Reported:
11/6/08
Organization:
Express Scripts (ESRX)
Contractor/Consultant/Branch:
None
Location:
St. Louis, Missouri
Victims:
Patients
Number Affected:
"millions"*
*This is the number threatened to be involved, 75 are confirmed
Types of Data:
"names, dates of birth, social security numbers, and in some cases, their prescription information"
Breach Description:
"ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records."
Reference URL:
Express Scripts Press Release
Express Scripts Response Site
The Wall Street Journal
Report Credit:
Express Scripts
Response:
From the online sources cited above:
ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records.
[Evan] This isn't exactly the kind of press release that executive management, investors, nor customers want to see.
The letter included personal information of 75 members, including their names, dates of birth, social security numbers, and in some cases, their prescription information.
The company said it has notified the affected members.
[Evan] The company has notified the 75 affected members, and is in the process of notifying the others (potentially millions).
It also immediately notified the FBI, which is investigating the crime.
The company also said that it is conducting its own investigation with the help of outside experts in data security and computer forensics.
The letter arrived in early October.
Express Scripts spokesman Steve Littlejohn said the company delayed publicizing the letter to allow the investigation to take shape, but it had now reached a stage where the company wanted to make it public.
[Evan] I would assume that a part of allowing "the investigation to take shape" is confirming that this is likely not a hoax. No company wants to go public with something like this unless they absolutely have to.
"We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," said George Paz, chairman and chief executive officer.
[Evan] Are you an information security professional having trouble getting the attention of senior management? An extortion attempt concerning millions of customer records will certainly do it!
"We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act."
[Evan] Boy o boy, if the extortionist(s) knows what he/she is doing it could be very difficult to find him/her.
"Express Scripts is committed to the privacy and security of our members' personal information," said Paz, "so a threat like this against our members is outrageous."
Express Scripts said it deploys a variety of security systems designed to protect their members' personal information from unauthorized access.
"However, as security experts know, no data system is completely invulnerable," Paz said.
[Evan] While this is certainly true, it is not really an excuse either. Security experts need more information and detail to go on before passing judgment.
"We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft."
Express Scripts announced that it has launched a website for members to obtain information about this security incident and to access resources and information to help them protect themselves against the possibility of identity theft.
The location of this website is: www.esisupports.com
[Evan] This is a very informative site. If you think you may be affected, I encourage you to visit.
we believe we have identified where the data involved in this situation was stored in our systems, have instituted enhanced controls, and are committed to fully understanding what happened.
[Evan] Remember earlier in this post. A company doesn't want to go public unless they have to, meaning that they probably wouldn't unless the threat was credible. The fact that the company may have found evidence of the breach may have certainly led to the disclosure/notification.
The company said it has not received any reports of identity theft associated with the problem.
We’re in the process of notifying all our members and clients to enable them to take steps to protect themselves from possible identity theft
[Evan] According to this statement, "all" members will be notified. "Express Scripts handles millions of prescriptions each year through Home Delivery and at retail pharmacies." Source: Express Scripts "About Us"
Commentary:
Obviously there is much more news to come. I signed-up for the e-mail alerts on http://www.esisupports.com/home/. This breach has the potential to be very significant in terms of the number of people affected and scope of information disclosed. I will do my best to update when I can.
Past Breaches:
Unknown
Date Reported:11/6/08
Organization:
Express Scripts (ESRX)
Contractor/Consultant/Branch:
None
Location:
St. Louis, Missouri
Victims:
Patients
Number Affected:
"millions"*
*This is the number threatened to be involved, 75 are confirmed
Types of Data:
"names, dates of birth, social security numbers, and in some cases, their prescription information"
Breach Description:
"ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records."
Reference URL:
Express Scripts Press Release
Express Scripts Response Site
The Wall Street Journal
Report Credit:
Express Scripts
Response:
From the online sources cited above:
ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records.
[Evan] This isn't exactly the kind of press release that executive management, investors, nor customers want to see.
The letter included personal information of 75 members, including their names, dates of birth, social security numbers, and in some cases, their prescription information.
The company said it has notified the affected members.
[Evan] The company has notified the 75 affected members, and is in the process of notifying the others (potentially millions).
It also immediately notified the FBI, which is investigating the crime.
The company also said that it is conducting its own investigation with the help of outside experts in data security and computer forensics.
The letter arrived in early October.
Express Scripts spokesman Steve Littlejohn said the company delayed publicizing the letter to allow the investigation to take shape, but it had now reached a stage where the company wanted to make it public.
[Evan] I would assume that a part of allowing "the investigation to take shape" is confirming that this is likely not a hoax. No company wants to go public with something like this unless they absolutely have to.
"We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," said George Paz, chairman and chief executive officer.
[Evan] Are you an information security professional having trouble getting the attention of senior management? An extortion attempt concerning millions of customer records will certainly do it!
"We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act."
[Evan] Boy o boy, if the extortionist(s) knows what he/she is doing it could be very difficult to find him/her.
"Express Scripts is committed to the privacy and security of our members' personal information," said Paz, "so a threat like this against our members is outrageous."
Express Scripts said it deploys a variety of security systems designed to protect their members' personal information from unauthorized access.
"However, as security experts know, no data system is completely invulnerable," Paz said.
[Evan] While this is certainly true, it is not really an excuse either. Security experts need more information and detail to go on before passing judgment.
"We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft."
Express Scripts announced that it has launched a website for members to obtain information about this security incident and to access resources and information to help them protect themselves against the possibility of identity theft.
The location of this website is: www.esisupports.com
[Evan] This is a very informative site. If you think you may be affected, I encourage you to visit.
we believe we have identified where the data involved in this situation was stored in our systems, have instituted enhanced controls, and are committed to fully understanding what happened.
[Evan] Remember earlier in this post. A company doesn't want to go public unless they have to, meaning that they probably wouldn't unless the threat was credible. The fact that the company may have found evidence of the breach may have certainly led to the disclosure/notification.
The company said it has not received any reports of identity theft associated with the problem.
We’re in the process of notifying all our members and clients to enable them to take steps to protect themselves from possible identity theft
[Evan] According to this statement, "all" members will be notified. "Express Scripts handles millions of prescriptions each year through Home Delivery and at retail pharmacies." Source: Express Scripts "About Us"
Commentary:
Obviously there is much more news to come. I signed-up for the e-mail alerts on http://www.esisupports.com/home/. This breach has the potential to be very significant in terms of the number of people affected and scope of information disclosed. I will do my best to update when I can.
Past Breaches:
Unknown
Posts Atom 1.0
I have used Express Scripts AND here's the kicker.... just rec'd letter from HealthNet that they mailed out a mailer to me the week of Oct 6th that had my SSN on the mailing label. So, that's TWICE in one week that I learned of a breach by my health insurance provider (HealthNet uses Express Scripts for Rx). Grrrr.
Reply to this
Elizabeth: could you provide more info or get me a copy of the notification about the mailing label error? I'd like to follow up with them on that. Do they provide a phone number to call?
Reply to this
In case you were not aware yet, there are couple of new items to report.
1. Express Scripts has retained "data security services" from Kroll. "Express Scripts has contracted with Kroll, a New York-based risk consulting firm and a global leader in data security. Through Kroll, Express Scripts is providing members with appropriate levels of consultation, investigation and identity restoration services." This is a good thing and Kroll is very good at what they do (in my opinion).
2. Express Scripts is "establishing a reward totaling $1 million for the person or persons who provide information resulting in the arrest and conviction of those responsible for these criminal act" I kind of wish I knew something. A million bucks is a boatload of money.
The source for both announcements is the ESI Supports page . If you have not done so yet, I suggest signing up for email alerts (signup located on the bottom bottom right of the ESI Supports site).
Reply to this