FBI Hunts Extortionists Holding Health Data on Millions

Someone is trying to extort money from a company that handles drug prescription benefits for 50 million Americans in what could be one of the more damaging cases of data loss on record. The incident may raise red flags for industry hopes of putting more health care information online in an effort to control costs.

The FBI is looking into the extortion attempt against St. Louis-based Express Scripts, which Thursday notified federal authorities that it received a letter in early October that included personal information on 75 members -- including names and social security numbers -- and a demand for money. Otherwise, the records of millions of members would be exposed, the company said.

Not Messing Around

"We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," George Paz, Express Scripts CEO said. "We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act."

The company is not saying how much money was asked for, whether the extortion letter was sent via e-mail or regular mail, how much data had been lost or whether the data breach was the result of an accident or an inside job. The company does know where the data on the 75 members originated within its system.

Express Scripts said it's working with outside experts in data security and computer forensics as part of its internal investigation, in addition to cooperating with the FBI. It has also set up a Web site to help members with more information on the incident and with resources for protecting themselves from identity theft.

The Prognosis for Online Health Care

During the 2008 presidential campaign, both Barack Obama and John McCain supported initiatives to take medical records online to save on paper and help cut down on overall health care costs. With so much of the health care record-keeping process subcontracted from health maintenance organizations (HMOs) to individual providers, security experts say the gaps between companies could provide ample opportunities for identity thieves.

"The technology itself is so compelling that it causes us to use it, even though we know about the flaws," David Perry, global director of education for computer security company Trend Micro (Nasdaq: TMIC) told the E-Commerce Times. "We are in a transition period. In 100 years, everything is going to be on the Internet. When we get to that point, I assume everything will be redesigned to make it more secure, but now we're in transition."

Express Scripts manages pharmacy benefits for "thousands of client groups, including managed-care organizations, insurance carriers, employers, third-party administrators, public sector, workers' compensation, and union-sponsored benefit plans," according to its press materials.

"It goes beyond HMOs," Steve Duncan, senior product manager for Entrust told the E-Commerce Times. "Every company that's feeling the pinch right now would rather move processes online so they can save money. As soon as you do that you have to have things in digital format and stored in digital format, and there's the opportunity for data theft. I think we'll hear a lot more about this."

Diagnosing the Company Reaction

Both Duncan and Perry give Express Scripts high marks for going public with the extortion attempt and providing as much information as possible to its members. "In fact, it's the law," Duncan said. "It varies from state to state, but any time you know of a data loss you are responsible for disclosing it to the appropriate people. They (Express Scripts) were proactive, and that's good. Since they don't know how it was lost, I sure hope they're taking measures to mitigate that loss again."

Perry says other companies may still be keeping similar blackmail attempts a secret for fear of public relations or stock price damage, "but I think we're going to turn the corner on that. I think that's going to change. In some sense openness will be a protection on that."

Express Scripts said it was using methods to ensure customer privacy before receiving the extortion letter. But would those methods help protect against inside jobs or accidental losses of USB memory sticks or laptop computers loaded with personal information? Duncan said more encryption of all data that leaves company offices would help.

Perry says federal authorities are also spending more money to get smarter in dealing with cybercrimes and are seeing some success from their efforts. "The FBI is doing fantastic work these days. It's showing up and putting people in jail."