Health information on state employees at risk
Toolbox
By Louis Porter Vermont Press Bureau - Published: November 24, 2008
MONTPELIER – The private information of thousands of state employees is potentially at risk in a computer hacking and extortion incident.
The target was Express Scripts Inc., which is the pharmacy benefit company for Vermont state workers, as well as the employees of many institutions and companies around the country. The company was threatened by still unidentified people in October that private information of members of its clients' health plans would be released if demands were not met.
The records of 75 individuals – none of whom are Vermont state workers – were included to lend weight to the threat.
"What we do know is that the criminal or criminals in this situation … in early October sent Express Scripts a letter demanding money in exchange for their not publicly releasing the names and personal information of millions of patients," said Steve Littlejohn, vice president of public affairs for the company.
Then in November, those trying to extort money from the company sent some if its client companies information from its database as well. Littlejohn declined to identify if the state of Vermont was among those employers.
Express Scripts went public with the problem after that second round of notices, and has since offered a $1 million reward for information leading to the arrest and prosecution of those responsible.
It is unclear if private information of all of the state workers who get pharmacy benefits is at risk, or only those who have used the medicine service. So far, there have been no cases of clients of Express Scripts – including Vermont state workers –being the victims of identify theft because of the potential breach.
In fact, the company has not been able to positively identify whether there was, or was not, such a breach of its databases.
"We have not seen any evidence of information being made public or maliciously misused, other than being included in these letters," Littlejohn said.
And no state workers have apparently been a victim of identity theft through the Express Scripts threat, said David Herlihy, commissioner of human resources for the state.
Littlejohn said the company went public after the second notification by those who claim to have the information, not after the first, because of timing.
"We really had to balance between, on the one hand, giving the investigation time to take shape … and on the other hand giving our clients as much information as we could," he said. "We are taking this very seriously."
It is unusual, in fact, for companies to make such threats public at all, Littlejohn said.
"We wanted to do whatever we could to stand by our clients," he said.
It is not the first such computer database problem to trouble Vermont. In 2007, an automated program hacked into a state database, although there were no reports of identity theft as a result of the incident. A year before that, many Vermonters, including military veterans, had their personal information compromised when a U.S. Department of Veteran's Affairs computer was stolen. Before that, a Vermont State College laptop with information on people connected to the college system was stolen in Montreal.
Herlihy said using computer databases both improves and endangers the security of such databases.
"When you operate in an electronic world you eliminate certain kinds of risk. There is less paperwork going around," he said. But "it introduces a new kind of risk."
More information is available at http://www.esisupports.com.
7