Express Scripts being Blackmailed (personal medical records)

http://www.stltoday.com/blogzone/the-platform/published-editorials/2008/11/express-scripts-data-breach-is-bitter-medicine/

Express Scripts data breach is bitter medicine
By Editorial Board


Jarrett Baker | Post-Dispatch
Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Last week, the criminal activity expanded: Express Scripts said that individual clients had received extortion letters directly.

Express Scripts is cooperating with the FBI in the case. It issued a statement saying it would not pay any extortion demands. The company is offering a $1 million reward for information leading to the arrest and conviction of the extortionist or extortionists.

Beyond the scale of the problem for Express Scripts — and the potential impact on the company is enormous — the issue extends well beyond the mounting concerns about identity theft, a phenomenon with which most people have become at least somewhat familiar.

The greater problem is the unique nature of personal medical records, the importance of moving to computerization of such records to improve health safety and reduce costs and the irreversibility of the damage people can suffer if confidential medical information becomes public. The stakes are so high that a federal law establishes strict standards for maintaining the privacy of medical information and stiff fines for failing to do so.

SSN's were supposed to be for one and only one purpose: correlating SS payments and benefits. Nowadays they're almost a password to any bank account.

to get service.

The cable company. I don't think so.

I am fairly sure the phone co. has my ss# - I imagine I gave it to them years ago... before anyone even thought about identity theft.

Even when I was in the military in principle they were supposed to read you the three-page disclaimer and justification any time anybody asked your SSN. That rarely happened but at least in principle they were supposed to.

someone who works, used to work, or is affiliated with the records in some way is doing this

I would put money on it.

My company uses them. It wasn't enough that they wanted to charge me a $548 copay (yes, you read right) per MONTH, but they can't even keep our data safe?????

Fortunately, I managed to get my Betaseron through a payment assistance plan. But if reprehensor gets a decent job again, we're fucked.

at express scrpts discretion. I use express scripts and pay a $9.00 copay for 90 day supply.

But my company has obviously never had anyone working there with MS before.

There is no way I'd ever get to pay a $9.00 copay for this stuff. Word to the wise...knock off the Diet Coke. You'll end up where I am. And it ain't cheap.