Express Scripts data files breached
MU health benefit provider victim of Web hackers.
Published Nov. 10, 2008
Pharmaceutical company Express Scripts warned of a "large data" breach last Thursday that could lead to the exposure of millions of customers' personal information. The UM system is one of Express Scripts' customers.
Express Scripts is a part of the system's medical benefits plan for faculty, staff and retirees, but not students.
Express Scripts received an anonymous letter that included personal information of 75 members, including their names, dates of birth, social security numbers and in some cases their prescription information, according to Express Scripts in a news release.
"We do not yet know whether any of our files were part of this unauthorized access," UM system President Gary Forsee said in an e-mail to UM system staff.
The letter also threatened to expose millions of the company's members' records on the Internet if an extortion threat was not met. The company immediately notified the 75 customers and the FBI.
The company said it is conducting its own investigation with the help of outside experts in data security and computer forensics, according to the release.
"Express Scripts provides pharmacy benefit management services for more than 50 million people nationwide," UM system spokeswoman Jennifer Hollingshead said.
"While approximately 41,000 MU employees, retirees and their dependents utilize Express Scripts, it is important to note that the impact of this potential security breach extends far beyond the University of Missouri."
The company created a Web site, www.esisupports.com, for customers to receive information on the incident.
Dale Musser, an assistant professor in the computer science department, said he met the CEO of Express Scripts and thought they were doing everything they could in such a tough situation.
"The typical rule of things is there is no such thing as 100 percent secure. You can do a good job of it or do a bad job of it," Musser said.
Musser, who is also the director of the Information Technology program, said he recognized that there has been an increasing trend in hackers trying to make profit from their work.
"I think that has been a trend over the years from the standpoint that for the early hackers it was sort of a misspent youth sort of thing, but hacking for the purpose of making money fits right up there with any kind of organized crime."
It is impossible to know whether or not the hackers actually have more than 75 people's data, and how they obtained it, Musser said.
"It could have been a result of an internal collusion, working with someone on the inside," he said. "It could have been some sort of technical hole in the way the data was being handled. It could have been any number of incidents."
The company's Web site states that it believes it has identified where the data involved in this situation was stored in their systems and have instituted enhanced controls.
In the news release, George Paz, chairman and chief executive officer of Express Scripts, said as security experts know, no data system is completely invulnerable. He said they will continue to conduct their investigation and are notifying their members and clients to enable them to take steps to protect themselves from possible identity theft.
Express Scripts is headquartered in St. Louis.