Extortionists Target Major Pharmacy Processor

Extortionists Target Major Pharmacy Processor

One of the nation's largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

St. Louis-based Express Scripts said that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement.

The company's chief executive George Paz said Express Scripts has no intentions of paying the extortion demand and said his company is working with the FBI to track down the person or persons responsible for the scam.

Express Scripts is among the largest pharmacy benefit management firms, companies that process and pay prescription drug claims. It handles roughly 500 million prescriptions a year for about 50 million Americans.

The ransom note was delivered through the mail, said company spokesman Steve Littlejohn. However, he declined to say how much money the extortionists were demanding. He added that the company is still trying to determine how the data was stolen.
"We know where the data came from by looking at it, but precisely how it was accessed is still part of the investigation," Littlejohn said.

The company has set up a Web site to give concerned consumers tips on how to protect their identity. While Express Scripts doesn't interact with consumers directly, the company's name is printed on prescription cards of health care plans that use its services, Littlejohn said.
Alan Paller, director of research for the SANS Institute, a Bethesda, Md., based computer security training group, said cyber and data extortion incidents rarely make the news because most victims find it more expedient to simply pay up.

"There are thousands of companies that have already paid off extortionists in return for not having their customers' data exposed," Paller said. "This especially true in the financial industry, as some banks are now getting more than one new extortion demand per day."
Paller said for years he has been expecting extortionists to begin targeting the health care industry.

"In many ways, this is the perfect extortion target," Paller said. "Nobody is going to want to go to a health care provider if they think their private medical history is going to be revealed to the world online. Hospitals wouldn't have to think too hard about that before paying off an extortion demand."

Graham Cluley, a senior technology consultant for Sophos, a computer security company based in the United Kingdom, said Express Scripts made the right move in contacting the FBI and refusing to pay the ransom.

"Data extortion is not like if your daughter gets kidnapped: Even if something is returned to you, you can never be sure they're not going to carry on taking advantage of the situation," Cluley said. "The bad guys can always just make a copy of what they've stolen, and they can keep on coming back and asking for money, or they can still go and sell the data online."

taken from Pharmacist e-link on November 11, 2008: http://www.pharmacistelink.com/index.phpoption=com_content&task=view&id=10636&Itemid=274