ESI Supports - Frequently Asked Questions

Home
The Facts
Frequently Asked Questions
Resource Center
Media
Investors

Frequently Asked Questions

Who is Express Scripts and why do you have my personal information?

Express Scripts works with health benefit plans, processing millions of prescriptions each year through Home Delivery and at retail pharmacies. As we are involved in processing employee prescription drug benefits, it is necessary for us to have access to personal information such as your name, date of birth, Social Security number and member number. Our records may also include your prescription information. We understand your concern about this situation. At Express Scripts, we are committed to protecting the privacy and security of our members' information. We deploy a variety of security systems and procedures to protect that information from unauthorized access. However, as security experts know, no data system is completely invulnerable.

I heard about the unauthorized access of member data at Express Scripts. What happened?

In October 2008, Express Scripts received a letter from an unknown person or persons trying to extort money from the company. This unknown person or persons threatened to expose millions of Express Scripts members’ records on the Internet if an extortion threat was not met. The extortion letter contained information on 75 members, including Social Security numbers, dates of birth, and in some cases, prescription information. In November 2008, a small number of additional clients also received similar letters from the perpetrator. All members whose information was contained in the letters were notified. Express Scripts notified the FBI and an official investigation was launched. In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had taken action to prove that he still possesses additional member records from the same period of time as those identified in the 2008 extortion attempt. At this time, Express Scripts has not confirmed any fraudulent misuse of member information as a result of this incident. However, we understand the concern it is causing our members, and we are monitoring the situation very closely. Please visit our Resource Center to see what steps you can take to safeguard your personal information.

What was done after the receipt of the extortion letter in 2008?

In November 2008, Express Scripts immediately notified the FBI after receiving the letter. Additionally, we launched our own investigation with the assistance of outside experts in data security and computer forensics. We notified the affected members so they could take steps to protect themselves from possible identity theft. Since that time, the company has taken aggressive action to enhance its security operations and data handling procedures. We want to assure our clients and members that we are doing everything we can to secure their data and identify those responsible for the security incident. Express Scripts also established a reward of $1 million for the person or persons who provides information resulting in the arrest and conviction of those responsible for these criminal acts.

What is being done in response to the latest incident?

Express Scripts notified all affected clients, initiated notification of affected members and is supporting all of its members who suspect they are victims of identity theft as a result of the incident. Also, through this website, we are providing a gateway for easy access to experts and resources that will help our members maintain vigilance over their personal information. We continue to offer the $1 million reward for information about the perpetrator. We encourage anyone with information about the extortion threats to contact the FBI at 1-800-CALL-FBI. We continue to stand firm in our refusal to give in to the demands of the extortionist.

If this data incident first happened back in 2008, why was I only recently notified?

In November 2008, Express Scripts received a letter from an unknown person trying to extort money from the company by threatening to publicly expose millions of our members’ records. We immediately notified the FBI and they continue to investigate. We also immediately notified all those members whose records were included in the letter. If your records were not in that letter, Express Scripts did not notify you individually. However, Express Scripts did issue a press release about the incident and created a dedicated website for information about it, www.esisupports.com. In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records. We notified all of these newly identified members and that is why you may have recently received a letter from Express Scripts.

How did it happen?

We believe we have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls. We are continuing our investigation to identify those responsible for any unauthorized access.

Should I feel confident about using your website for refills and other transactions?

Yes. We have put enhanced security processes in place.

How do I know if my company received an extortion letter?

We have notified all our clients whose data was listed in the extortion letters.

How will you notify me if you find out if my records have been accessed?

We are in the process of sending letters to newly affected members.

Has the data that was accessed been used for identity theft?

To date, there have been no reported cases of misuse of member information resulting from the security incident.

How can I protect myself and my family?

Express Scripts is supporting all of its members who suspect they are victims of identity theft as a result of the incident. As recommended by leading security experts, we strongly encourage all members to remain vigilant in monitoring their personal information. Detailed information is available in the Resource Center, which provides a gateway for easy access to experts and resources that will help members maintain vigilance over their personal information.

Through the Resource Center, you can get information about credit monitoring services by visiting the following websites: www.equifax.com, www.transunion.com, www.experian.com, and www.annualcreditreport.com. Should you find any suspicious activity on your credit report or have reason to believe your information is being misused, contact your local law enforcement agency and file a police report. There is important information about preventing identity theft on the Federal Trade Commission’s website. If you suspect you have been the victim of Medicare/Medicaid fraud, call 1-800-HHS-TIPS (1-800-447-8477).