An ongoing investigation into the breach of personal medical records held by pharmacy benefits manager Express Scripts took a new turn yesterday. The company claimed the alleged perpetrator was trying to prove they held more records than originally reported.
The breach was first reported a year ago, when an unidentified culprit claimed they possessed 75 personal records of Express Scripts customers, including in some cases names, addresses, Social Security numbers, and prescription information. The culprit claimed they had access to millions of other records, and would release the information unless their monetary demands were met.
Express Scripts instead notified the Federal Bureau of Investigation (FBI) and offered a $1 million reward for information leading to the arrest of the perpetrator. Now, the company claimed, the FBI informed them that the alleged culprit does have access to the records.
The company has already notified 1,771 customers in New Hampshire that their information was compromised, according to DataBreaches.Net, but Express Scripts spokesperson Maria Palumbo said there was no evidence that any of the breached information had been misused.
"We did send letters to members across the country," Palumbo told the Dow Jones Newswire.
The Express Scripts news comes at a sensitive time due to the Obama administration's push for increased adoption of electronic medical records, online prescriptions, and other online-based health practices. The company's recent purchase of NextRX, the benefits manager formerly owned by health insurer WellPoint, Inc., leaves it poised to be an even bigger player in the online prescription world.
Express Scripts came under fire in 2004 from former New York State Attorney General Eliot Spitzer, who claimed the company overcharged the state's employee health plan for prescription drugs and pocketed the differences for itself.
The company settled charges with 29 states in 2008 that it deliberately pushed customers to switch from certain brand-name drugs to others without explaining the process clearly, often leaving customers paying higher prices.
ConsumerAffairs.com readers regularly write in with complaints about Express Scripts, ranging from difficulties getting prescriptions filled to problems tracking requests and authorizations from insurance companies.
What you can do
If you've been contacted by Express Scripts regarding the data breach, the New York State Board of Consumer Protection recommends the following:
• Get the facts from the notification: Read the letter carefully to understand what assistance the company may be offering you. If you have questions, contact Kroll Inc., the company assisting Express Scripts, at the phone number provided in the letter.
• Call the credit reporting agencies: Report the breach to all three of the major credit reporting agencies by calling any one of the following toll-free fraud numbers: Trans Union 1-800-680-7289, Experian 1-888-397-3742 and Equifax 1-800-525-6285. You will reach an automated telephone system that allows you to flag your file with a fraud alert at all three agencies. You will also be sent instructions on how to obtain a copy of your report from each of the credit agencies. A fraud alert helps protect you against the possibility of an identity thief opening new accounts in your name. When a merchant checks the credit history of someone applying for credit, the retailer receives a notice that there may be fraud on the account, and must take steps to verify the identity of the applicant.
• Order your credit reports for free: You may order one credit report from each of the three credit reporting agencies every twelve months. You can place your order online or by phone at www.annualcreditreport.com or by calling 1-877-322-8228. We recommend that you order one report from a different credit reporting agency every four months to help maximize your protection. Should you become aware that you are a victim of identity theft, you are entitled to an additional free credit report each year.
• Watch for signs of fraud: Read your credit reports, look for accounts you don't recognize, especially accounts opened recently. Look in the inquiries section for names of creditors from whom you haven't requested credit. Some companies bill under names other than their store names. The credit reporting agency will be able to tell you when that is the case. You may find some inquiries identified as "promotional." These occur when a company has obtained your name and address from a credit reporting agency to send you an offer of credit. Promotional inquiries are not signs of fraud. (You are automatically removed from lists to receive unsolicited offers of this kind when you place a fraud alert.)
• Read your financial statements, including your credit card statements, checking account statements, mortgage and auto loan statements, etc. carefully. As a general precaution, look in the personal information section of your credit report for any address listed for you where you've never lived.
• Close all compromised accounts. This is the best way to reduce your risk of an ongoing breach.
• Retain all paperwork. Maintain a file documenting all the actions you have taken along with copies of all the letters you have written and the documents you have reviewed.