Better safe than sorry: Express Scripts should notify everyone

Almost a year after it was contacted by an extortionist, pharmacy benefits management company Express Scripts first learned that the extortionist was in possession of at least 700,000 more members’ personal information than they originally knew about. The company has now notified those individuals, but how many other members may also be affected? It’s time for the company to notify everyone.

Earlier this week, while reporting new details on the Express Scripts breach, I commented on a statement made by Express Scripts on their web site that the company was “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.” I noted that the statement struck me as somewhat preposterous because the company was already aware of actual misuse of the information — the extortion demand itself was actual misuse of the information.

Yesterday, a site reader alerted me to the fact that Express Scripts subsequently changed that portion of their support web site to now read:

At this time, Express Scripts has not confirmed any fraudulent misuse of member information as a result of this incident.

While I appreciate that they are no longer suggesting that there’s been no misuse, their new wording is still somewhat problematic. What does “has not confirmed any fraudulent misuse” mean? Does it mean that they have now actually received some reports of fraud or ID theft that have been attributed to the breach but that they have not confirmed as being due to the breach, or does it mean something else?

Express Scripts has not replied to an inquiry I sent them yesterday asking them to clarify what this new wording actually means. If they do, I will update this entry, but in the meantime, nagging questions remain, such as:

1. Why has Express Scripts been unable to determine how many — and whose — records were acquired by the extortionist? After diligent investigation on their part, they never discovered that 700,000 members’ records had been accessed; and

2. How many other members’ records does the extortionist also possess?

Express Scripts is certainly not the first entity to be unable to determine the full scope of a breach, but in this case, where we already have evidence of some malicious purpose, identifying all of those affected takes on added import.

We have often seen the phrase “in an abundance of caution” used in notification letters. In this case, an abundance of caution would mean notifying everyone whose data were potentially acquired. Express Scripts has not taken that approach, however. As a result, 700,000 people whose data were acquired almost a year ago are first learning that they are at risk, and we do not know how many others may also be at risk of ID theft.

In its summary of this incident, the Wisconsin Office of Privacy Protection described who’s affected as “Millions of member records to include a number of Wisconsin residents.” Based on Express Scripts’ notifications to states, that description appears to be erroneous. But then again, maybe it’s just prescient.

Given that the company is dealing with a situation in which they already have evidence that the individual is willing to misuse member data, and given the market for Social Security numbers with dates of birth and other personal information, this blogger believes that a “when in doubt, notify” approach is warranted. While I give credit to Express Scripts for not paying the extortion demands, they must certainly realize that if the extortionist cannot get money from them, it is quite possible that the data will be put up for sale. Express Scripts’ members need to know that so that they can be vigilant about their credit reports, but that will not happen if the company does not notify them that they may be at risk. Saying that they have notified those whose data they know to have been acquired strikes me as not prudent enough given their inability to determine the scope of this breach. I urge them to notify everyone whose records may have been in the database that they suspect was accessed. If ever an “abundance of caution” was in order, this is such a situation.

About the author: Dissent