November 07, 2008, 10:00 AM — Data thieves are threatening to release millions of patient records held by a U.S. prescription drug management company unless the company pays up.
Express Scripts, based in St. Louis, Missouri, said on Thursday it received a letter in early October with the names, birth dates, Social Security numbers and some prescription information for 75 patients. The company provides benefit management services to health care organizations, insurers and other businesses.
The company has notified the U.S. Federal Bureau of Investigation, as well as those people whose information was included in the letter, according to a company statement.
"While we are unaware at this time of any actual misuse of any members' information, we understand the concern that this situation has caused our members," Express Scripts said on a Web site set up to provide information on the breach.
The company has also included contact information for credit monitoring agencies and other resources for people who believed they may be a victim of fraud.
Express Scripts said it has a variety of security systems to protect patient data but said no system is invulnerable. Officials have identified where the data was stored and have implemented "enhanced controls," the company said.
The data breach at Express Scripts underscores the trouble enterprises and governments are having protecting their data from loss, theft and inadvertent disclosure.
Since January 2005, more than 230 million records involving the personal data of U.S. residents have been compromised due to breaches, according to the Privacy Rights Clearinghouse's Chronology of Data Breaches.
Hackers targeting an insecure wireless network at retailer TJX resulted in upwards of 94 million credit and debit card accounts being compromised in 2007.
In 2006, 26.5 million records containing the names, Social Security numbers and birth dates of U.S. military veterans were stolen from the Department of Veteran Affairs.