|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story December 3, 2008 Express Scripts and Some of its Clients Face Extortion Attempts After Recent Data Breach Reprinted from DRUG BENEFIT NEWS, biweekly news, data and business strategies for health plans, PBMs and pharmaceutical companies. By Neal Learner, Managing Editor, (nlearner@aispub.com) Express Scripts, Inc. on Nov. 11 said that some of its clients had received anonymous letters threatening to expose the personal information of members following a data breach at the PBM. Express Scripts, which is offering a $1 million reward for the arrest and conviction of the person or persons responsible for the extortion, said it believes the letters are connected to the extortion threat that it made public on Nov. 6. The latest letters are similar to the one that Express Scripts received in early October that threatened to post millions of members' private information on the Internet if payment demands were not met, the PBM said. The original letter contained personal information on 75 members, including their names, dates of birth, Social Security numbers, and, in some cases, prescription information, according to Express Scripts. While some observers say the PBM will likely lose business as a result of the breach, one Wall Street analyst tells DBN that he expects the PBM will be able to weather the PR storm. Other security experts, meanwhile, warn that all PBMs face similar data threats from organized criminals intent on exploiting their cyber weakness. Express Scripts noted that it and the FBI have launched investigations to determine who is behind the threat. In addition, the company on Nov. 11 said that it had hired Kroll, a prominent risk-consulting firm, to offer assistance to its members if they become victims of identity theft because of this incident. Express Scripts also said it would offer members free identity restoration services if needed. "Express Scripts is committed to the privacy and security of our members' personal information, so a threat like this against our members is outrageous," George Paz, president and CEO, said in a written statement. The company said it deploys "a variety of security systems" designed to protect members' personal information. "However, as security experts know, no data system is completely invulnerable," Paz asserted. The PBM said that it has identified where the data that were involved in the security breach were stored in its systems, and has instituted enhanced controls. Express Scripts also maintained that it is unaware as of now of any misuse of members' information. Express Scripts has established a Web site to provide updates: www.esisupports.com. The PBMs so far has taken all of the right steps, says one security expert. "Textbook-wise, it looks like they're doing everything possible [to address the issue]," says Harry B. Rhodes, director of practice leadership at the American Health Information Management Association. Among other things, the PBM has examined the audit trail, contacted affected customers and is working with the FBI on the investigation, he notes. Still, Rhodes says that now that Express Scripts has identified where the information came from in its database, the company should be able to start zeroing in on the people that had access to that information. He points out that 80% of data breaches are the result of an inside job. "They need to look at all of their employees, including their current employees," he suggests. "The current best practice is [that] you do a background check on people who have access to this type of information, especially people who can download or move or copy large portions of information." Robert L. Coffield, a health care attorney at Flaherty, Sensabaugh & Bonasso, PLLC, says companies cannot protect against every potential breach. "But you certainly need to meet a minimum threshold standard," he tells DBN. "When you fall below that standard, that is when you are going to be subject to litigation." Coffield did not offer any judgments as to the standards of Express Scripts' security systems. Other PBMs say they have multiple data security measures in place to ward off similar attacks. For its part, Medco Health Solutions, Inc. has institutionalized encryption technologies across the enterprise, and has conducted exhaustive reviews of all HIPAA-related data, according to spokeswoman Ann Smith. All laptop and desktop computers and business-to-business information is encrypted, and the company has authentication and access control on its data, in addition to data security protocols that are proprietary, she explains. "We are obsessive and extreme on security with layers of backups," Smith tells DBN. Likewise, CVS Caremark Corp., to its knowledge, has not received a letter similar to the one described by Express Scripts, says CVS Caremark spokeswoman Christine K. Cramer. "CVS Caremark's security programs are robust and have many internal controls that are designed to prevent unauthorized access to confidential information," she tells DBN. Key components of CVS Caremark's security program include the use of leading security technology, a comprehensive and consistently applied testing and validation program and strict protocols related to user access to confidential data, Cramer says. Alan Paller, director of research at SANS Institute, a computer security training organization, says extortionists target companies whose paramount interest is keeping client information confidential. The health care industry represents a "perfect extortion target," he adds. "It's a massive crime, in the hundreds of millions of dollars," he tells DBN. Paller also asserts that it's likely that other PBMs have been hit as well. "They may have managed to keep it quiet, or they don't know yet," he says. Breach Can Be Blow to Business Rhodes says companies that experience data breaches can expect to lose business. But one Wall Street analyst says Express Scripts should be able to weather the storm as other PBMs have following data breaches. "Express Scripts has taken the appropriate steps to limit the damage," says Kemp Dolliver, a PBM securities analyst at Cowen and Company, LLC. "This situation looks like an embarrassment only absent evidence of a broader problem," he says, pointing out that Medco also had a data breach related to a lost laptop computer back in 2006 that involved data on an Ohio agency with 4,600 members. "I don't see competitors loudly touting this," he says of the Express Scripts breach. "The company has taken some steps to get out in front of this with the impacted individuals and clients to mitigate the damage. They have to stay on top of this until they know the extent of the breach." Rhodes suggests that Express Scripts publicize all of the things it has done to fix the problem. It will be especially important for the PBM to show that it has identified where its weaknesses are, has corrected them, and will have a process in place to do risk assessments constantly and watch for new weaknesses, Rhodes explains. "You win back the trust," he says. "A company
this large, they cannot afford this kind of situation. If they want
to be successful, they're going to come back with stronger controls." |
| ||||||||
