A New Response Model to Data Breaches?

You don’t hear about too many of these. Express Scripts, which manages prescription benefits on behalf of health insurers for more than 50 million people, was the victim of an extortion attempt by a perpetrator who threatened to expose the records of millions of Express Scripts customers.

The St. Louis company got a letter in October that contained a sample of personal data, including prescription info on about 75 customers, and demanded cash. What the would-be mastermind probably wasn’t counting on is that Express promptly turned the issue over to the FBI. Since the company went public with the story on Nov. 6, the company was informed that a number of its clients had received similar extortion letters threatening the release of the customer data.

Some interesting developments that set this apart from the rest of the data breach news, and from other whispered rumors about extortion attempts. The company said it’s offering a $1 million reward for information leading to the arrest and conviction of the perpetrator. And in contrast to the usual offer of identity theft monitoring services, Express Scripts is taking a more conservative approach in offering Kroll’s identity restoration services to anyone who becomes a victim of identity theft as a result of the breach.

That saves the company millions, and, given the dubious utility of some of the identity theft monitoring solutions on the market, like a smarter move for consumers. The downside is that it could be years before consumers would know they’ve been victimized, and tracing the problem back to this breach would be difficult. How this approach flies with consumers, regulators and the press could be a bellwether for data breaches going forward.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER