In early October, Express Scripts received a letter from an unknown person or persons trying to extort money from the company. This unknown person or persons threatened to expose millions of the company’s members’ records on the Internet if the extortion threat was not met. The extortion letter included personal information on 75 members including their social security numbers, addresses, dates of birth, and in some cases, prescription information.This is VERY bad news. PBM data bases are a crucial source of information for the kind of epidemiological research and comparative effectiveness studies that can allow us to improve outcomes and slow down the cost trend.
Express Scripts notified the FBI immediately after receiving the letter and there is an official investigation underway. We also notified the members whose information was contained in the extortion letter. The company has also launched its own investigation with the help of top experts in data security and computer forensics.
While we are unaware at this time of any actual misuse of any members’ information, we understand the concern that this situation has caused our members.
This site is designed to keep you updated on developments concerning that situation and to provide you with important tools and resources to help protect yourself against identity theft.
We are taking this situation very seriously and want to reassure you that we are committed to doing what we can to secure your data.
A year ago, in a posting on "Information Technology, Ethics, and Integrity," I wrote:
It is increasingly true that IT functions as the nervous system of health organizations. It shapes our capacity to communicate with patients and colleagues. At its best IT enables wide communication combined with privacy protections. It can enhance or impede the quality of clinician-patient relationships.The security breach at Express Scripts will add to the public's fear about electronic data bases. This isn't just a technical problem. At its best, IT allows us to coordinate our disastrously compartmentalized health system and do much more for our patients. Good ethics isn't just a matter of endorsing good values. We have to be able to put those values into action. Loss of faith in the integrity of health data will tie our hands.