Network News

X My Profile
View More Activity

Extortionists Target Major Pharmacy Processor

One of the nation's largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

St. Louis-based Express Scripts said that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement.

The company's chief executive George Paz said Express Scripts has no intentions of paying the extortion demand and said his company is working with the FBI to track down the person or persons responsible for the scam.

Express Scripts is among the largest pharmacy benefit management firms, companies that process and pay prescription drug claims. It handles roughly 500 million prescriptions a year for about 50 million Americans.

The ransom note was delivered through the mail, said company spokesman Steve Littlejohn. However, he declined to say how much money the extortionists were demanding. He added that the company is still trying to determine how the data was stolen.

"We know where the data came from by looking at it, but precisely how it was accessed is still part of the investigation," Littlejohn said.

The company has set up a Web site to give concerned consumers tips on how to protect their identity. While Express Scripts doesn't interact with consumers directly, the company's name is printed on prescription cards of health care plans that use its services, Littlejohn said.

Alan Paller, director of research for the SANS Institute, a Bethesda, Md., based computer security training group, said cyber and data extortion incidents rarely make the news because most victims find it more expedient to simply pay up.

"There are thousands of companies that have already paid off extortionists in return for not having their customers' data exposed," Paller said. "This especially true in the financial industry, as some banks are now getting more than one new extortion demand per day."

Paller said for years he has been expecting extortionists to begin targeting the health care industry.

"In many ways, this is the perfect extortion target," Paller said. "Nobody is going to want to go to a health care provider if they think their private medical history is going to be revealed to the world online. Hospitals wouldn't have to think too hard about that before paying off an extortion demand."

Graham Cluley, a senior technology consultant for Sophos, a computer security company based in the United Kingdom, said Express Scripts made the right move in contacting the FBI and refusing to pay the ransom.

"Data extortion is not like if your daughter gets kidnapped: Even if something is returned to you, you can never be sure they're not going to carry on taking advantage of the situation," Cluley said. "The bad guys can always just make a copy of what they've stolen, and they can keep on coming back and asking for money, or they can still go and sell the data online."

By Brian Krebs  |  November 7, 2008; 7:55 AM ET
Categories:  Fraud , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Researchers Hijack Storm Worm to Track Profits
Next: VISA to Enforce Payment Card Security in Europe




Posted by: | November 7, 2008 9:14 AM | Report abuse

In the realm of risk, unmanaged possibilities become probabilities: These data breaches and thefts are due to a lagging business culture. As CIO, I'm always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and internal team members. A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium."
The author, David Scott, has an interview here that is a great exposure:
I like to pass along things that work, in the hope that good ideas continue to make their way to me.

Posted by: johnfranks999 | November 7, 2008 9:56 AM | Report abuse

Bruce, when you post in all capital letters, you're in effect screaming at people. Cut it out!

Posted by: Heron | November 7, 2008 10:34 AM | Report abuse

I don't know who first decided that capital letters, used a century for emphasis and drawing attention to a particular point must now always mean that someone's yelling, but I can't believe that yelling was Bruce's intent... or maybe it was? Anyway, 75 names was probably a sampling of what information they could leak rather than the sum total.
However, perhaps it's time to allow one of these RX giants to go down in flames over the carelessness in which they handle the serious personal information that's entrusted to their care. And I don't mean that they raise prices industry-wide through clandestine price-fixing to cover the investment of current security systems... I mean that they are forced to invest a little more of their obscene profits or allowed to go out of business. Such an example is the only way to force the industry to do the right thing.

Posted by: TerrifiedAmerican | November 7, 2008 12:32 PM | Report abuse

This kind of thing is what makes me nervous when politicians say they're going to cut medical costs by storing everything electronically.

Posted by: Heron | November 7, 2008 1:47 PM | Report abuse



Posted by:"

First of all... the caps lock button is to the left of the "A" button. You seem to be confused about that.

Second... they handed over 75 but they probably have many, many more.

Third... this company screwed up and they're willing to let their customers suffer instead of their profits? Suuuure, they're very heroic with OTHER people's information.

Posted by: fake1 | November 7, 2008 2:22 PM | Report abuse

For those people out there that feel they are at risk of having their personal information stolen you should get LifeLock. They have helped me prevent my identity from being stolen after someone opened a credit card in my name. I Found a website that will give you the first month free and a discount on your membership. LifeLock I thought it was a pretty good deal and I have never looked back and my credit is now as clean as a whistle.

Posted by: willburns1 | November 7, 2008 3:28 PM | Report abuse

For those people out there that feel they are at risk of having their personal information stolen you should get LifeLock. They have helped me prevent my identity from being stolen after someone opened a credit card in my name. I Found a website that will give you the first month free and a discount on your membership. I thought it was a pretty good deal and I have never looked back and my credit is now as clean as a whistle.

Posted by: willburns1 | November 7, 2008 3:32 PM | Report abuse


I have now had any number of people tell me that TYPING IN ALL CAPS is YELLING. I have simply never seen it as yelling, but for me it is used for EMPHASIS.

For those of use who are HAMS -.-. --.- etc., we use to copy high speed morse code on 'mills.' A 'mill' is a manual typewriter that is all caps, regardless of what position the selector switch, or adjustment was in. The idea that typing in all caps is yelling is therefore hardly a traditional concept.

Incidentally, in a routine post as one looks down a line of posts, the CAPS STAND OUT before everyone elses FOR SURE.

Try to read down a line of posts that is extended and one finds oneself skimming until you hit the post in all caps and then that one is often read. Call it psychology, or whatever it does get noticed for sure, but yelling ????

You will observe this is not in all caps.

Posted by: | November 7, 2008 7:31 PM | Report abuse

Bruce, I often skip posts in all caps. Posting that way is just plain rude. It's one thing to highlight words for emphasis, but quite another to expect people to read long stretches in all caps. Sentences typed that way are harder to read.

Check it out:

Posted by: Heron | November 7, 2008 7:55 PM | Report abuse

"The capital letters of a given font are usually the same height and width as one another. Setting your text in all capital letters creates a block effect that makes the words more difficult to read. This is particularly true when the text is bold. The result is a block that is uninviting and difficult to process. This block effect makes it more difficult for the reader to differentiate between words and characters. Upper and lower case typography reduces this block effect and makes the reading and processing of information easier.

According to Karen Schriver in her book Dynamics in Document Design, 'When text is set in all capital letters, reading speed is slowed about 13 to 20 percent. Reading speed is optimal when uppercase and lower case letters are used.'"

*gets off of soapbox*

Posted by: Heron | November 7, 2008 8:00 PM | Report abuse

And Bush is cutting back on Medicaid.
Face it, our little machines which are so awful fun are a Pandora's box for the world. Please keep your own machine as tight as possible. Pretty please?

Posted by: n7uno | November 8, 2008 1:17 AM | Report abuse

You should all know that the extortionists got those records from the *outsourced* Indian database. A dirty little secret is that outsourcing of records is the primary cause of data theft. Worse, since that information is in India, it is completely beyond the reach or control of U.S. laws governing privacy or use of the data. In India, medical, banking and credit, pharmacy, criminal, even records of letters you may have written to the editor of your local newspaper, are all correlated and available, for sale, to employers, insurance companies, criminal gags, anyone. This is just one consequence of outsourcing jobs. The other one, of course, is our economy in the tank. Write your Congressmen and demand that punitive taxes, tariff's, and duties be imposed on goods and services hat are outsourced. Impose these on the investors and companies. Get our jobs back and the present recession will end.

Posted by: mibrooks27 | November 8, 2008 3:04 PM | Report abuse

Out sourcing jobs has nothing to do with the problem. Even if the jobs wernt outsourced but the data was stored in India you would still be reading this artical. As far as mibrooks27 comments he thinks out sourcing is the cause of the economic problems. This only shows the ignorance in todays society. Taxes and tasrrifs would do nothing but raise prices and cost jobs. mibrooks27 obviously has no clue. Out sourcing jobs will never end. If you want to stop it, simply don't do business with companines that out source. Here are a few.

Aspire Visa
Godman Sachs
JP Morgan
40 State Gov. out source jobs
The Smithsonian
96% of all clothing mad is made outside the US
Carrier Airconditioning
Nexus Communications
Metro WMAA
American Express

Ban these companies. If the people join together and stop dealing with the companies that out source our jobs we can fix the problem.

Posted by: askgees | November 8, 2008 6:29 PM | Report abuse

The Lifelock posts may be spam posted by someone affiliated with the company. You can do anything that company will do for you yourself, like get free copies of your credit reports. Identity theft insurance is about as worthwhile as credit card insurance (that is, a waste of money).

To keep your identity as safe as possible, use a firewall on your computer, use good passwords (not common words or simple things like your date of birth), and keep all software up-to-date. Get your bills delivered to a locked mailbox. Visit to stop receiving unsolicited credit offers. Shred anything with private financial information on it that you don't need for your files. Finally, be careful at ATMs. If anything looks amiss, don't use the machine, and notify whomever manages it.

You're entitled to a free copy of a credit report from each of the three bureaus each year; order one every four months, so you can look for any suspicious activity. Call 1-877-322-8228, or visit

Posted by: Heron | November 10, 2008 10:43 AM | Report abuse

FYI, My company notified us last Fri the 7th around 2pm that this had occured . We can use Express Scripts if we so choose. I haven't much myself, but once I suppose is too much now in this case. Today a few minutes ago we were just notified that one of our retirees info was among the 75 peoples data that was on the list.

Posted by: MinCT | November 10, 2008 4:35 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company