Extortion: When Data Security Becomes an FBI Issue


No one wants to see his or her company name in a headline about extortion, especially a company with over 50 million members.

Express Scripts, a large pharmacy-benefits company based in the St. Louis area, received a letter threatening the exposure of some its customer records and medical information. So, it did what any right-minded company would do; it called in the Feds (and called in risk consultants to handle customers).

As recently reported by the St. Louis Business Journal, Express Scripts said it received an extortion letter from an unknown source in early October 2008 and has since notified its affected customers, even going so far as to create a special Web site for users about the incident.

I have to give some kudos to Express Scripts for signing up a risk management and identity theft firm to handle affected clients (in this case, Kroll, which is owned by Marsh & McLennan), but it's becoming a way too common experience to see businesses--whose job it is to have and store your data as a central business model--consistently get whacked by hackers. The whole reason company benefits programs turn to these pharmacy management services is for cost savings, but when they can't protect the most essential elements of customer data, you have to wonder what you are getting for the money saved. Right now, Express Scripts says this on its customer support site:

Based on a case review provided by Kroll, Express Scripts will provide identity restoration services from Kroll for all legitimate and approved cases of identity theft. Restoration services include investigation of fraudulent activity; issuing fraud alerts; interaction with affected financial institutions, appropriate law enforcement or regulatory agencies and credit card companies; and any necessary document preparation. The investigator assigned to the victim will remain constant, working directly with the individual until the issues are resolved.

Express Scripts recognizes the concern this situation has caused our clients and for members, and we are committed to safeguarding the privacy and security of members' information. These services we are offering from Kroll can be accessed by dialing 1-866-795-9350.

This is not to say the business model is flawed, but that its IT infrastructure and risk management practices need a serious tune-up. Could national compliance standards for securing medical data have protected Express Scripts' customers?

The argument is still up in the air. For the time being, we are left to ponder how the hackers keep winning and winning and winning.