Friday, November 07, 2008

Potential Data Breach and Extortion at Express Scripts

The WSJ Health Blogs reports about a potential data breach at Express Scripts, one of the largest pharmacy benefit management companies in North America. More from Express Scripts on the Facts, FAQs and Other Resources.

The potential data breach came to Express Scripts attention after having received an anonymous letter attempting to extort money from the company by threatening the expose millions of patient records. The threat letter included personal information on 75 members, including names, dates of birth, social security numbers and prescription information.

The article also mentions a similar extortion related data breach which occurred in March 2006 and involved Medical Excess LLC, a subsidiary of AIG. In that case the FBI investigated and arrested an individual who stole a computer server containing personal health information of more than 900,000 individuals. The individual tried to extort AIG for $208,000 after threatening to release the information on the Internet.

According to the FBI Press Release, the individual involved was the first person to be charged under the new federal criminal statute, Title 18 U.S.C. 1030(a)(7)(B) and (C). The new federal criminal statute makes it a federal crime to commit extortion relating to unauthorized access of, or damage to, a protected computer system and/or to impair the confidentiality of information obtained from a protected computer.

To learn more read Express Scripts' press release and related support site.

No comments: