Extortion Used in Prescription Data Breach

By Brian Krebs
washingtonpost.com Staff Writer
Saturday, November 8, 2008

One of the nation's largest processors of pharmacy prescriptions said this week that extortionists are threatening to disclose personal and medical information about millions of Americans if the company fails to meet payment demands.

St. Louis-based Express Scripts said Thursday that in early October it received a letter that included the names, birth dates, Social Security numbers and, in some cases, prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement.

Chief executive George Paz said in the statement that Express Scripts has no intention of paying and that his company is working with the FBI to track down those responsible for the scam.

Express Scripts is the third-largest U.S. pharmacy benefit management firm, which processes and pays prescription drug claims. Working with more than 1,600 companies, it handles roughly 500 million prescriptions a year for about 50 million Americans.

Express Scripts has notified its clients of the threat. Fairfax County Public Schools yesterday sent a letter to employees alerting health-plan participants who use Express Scripts to the breach.

"FCPS is deeply concerned about this kind of breach, which could adversely affect our employees," Superintendent Jack D. Dale said in the letter. "We expect and deserve the highest level of security when we entrust our vendors to handle our employees' personal information."

The letter was delivered by mail, said company spokesman Steve Littlejohn. He declined to say how much money the extortionists were demanding. He added that the company is trying to determine how the data were stolen.

"We know where the data came from by looking at it, but precisely how it was accessed is still part of the investigation," Littlejohn said.

The company last week set up a Web site to give consumers tips on how to protect their identity. While Express Scripts does not interact with consumers directly, the company's name is printed on prescription cards of health-care plans that use its services, Littlejohn said. The 75 people listed in the letter have been notified.

Billy Cox, special agent for the FBI's St. Louis field office, confirmed that the bureau was contacted by Express Scripts, but declined to comment on the case.

Alan Paller, director of research for the SANS Institute, a Bethesda-based computer-security training group, said many companies, especially in the financial industry, have already paid to keep their customers' data from being released. Some receive more than one extortion threat a day.

Paller said that in some ways, the health-care industry is the perfect target.

"Nobody is going to want to go to a health-care provider if they think their private medical history is going to be revealed to the world online," he said. "Hospitals wouldn't have to think too hard about that before paying off an extortion demand."

Last month, the FBI arrested an Indiana man accusing him of stealing 900,000 policyholder records from a medical provider and trying to extort $208,000 from its parent, American International Group.

Graham Cluley, a senior technology consultant for Sophos, a British computer security company, said Express Scripts was right to go to the FBI.

"Data extortion is not like if your daughter gets kidnapped: Even if something is returned to you, you can never be sure they're not going to carry on taking advantage of the situation," Cluley said. "The bad guys can always just make a copy of what they've stolen, and they can keep on coming back and asking for money, or they can still go and sell the data online."

© 2008 The Washington Post Company