Skip to content Skip to navigation

Data Extortion and the Express Scripts Breach

December 9, 2008
by Reece Hirsch
| Reprints


Last month, the PBM Express Scripts announced that it had received an extortion letter threatening to expose millions of patient records stolen from the company. The letter contained the Social Security numbers and, in some cases, the prescription information, of 75 members. When Express Scripts refused to bargain, the criminals proceeded to send similar letters to several of the PBM's customers. Express Scripts appears to have taken all of the right steps in responding to the breach, including notifying the FBI, retaining outside data security and computer forensics experts to aid in its investigation, and establishing a website for members to obtain information about the incident. The company is even offering a $1 million reward for the arrest or conviction of the person or persons responsible for the extortion.

In the past, perpetrators of breaches have tended to utilize the data to commit financial fraud. Direct attempts at extortion appear to be a relatively new trend in information fraud. I hope that other companies victimized by data extortion in the future take a hard-line stance like Express Scripts did in responding to such demands. Many companies fear that a data breach will do damage to the organization's reputation and might be tempted to pay an extortionist's demand to keep an incident out of the press.


It's important for companies to remember that perfect security is unattainable. Security breaches are inevitable and will continue to proliferate, despite the best efforts of companies like Express Scripts. As new security breaches are reported in the press nearly every week, I think the public is beginning to understand that these incidents are, regrettably, a fact of life in the information age. The companies that have suffered the most serious harm from security breaches are those that have failed to respond to those incidents in a reasonable manner, such as by attempting to conceal the incident from the public and potential fraud victims or delaying notification.

Topics

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...