WASHINGTON — Express Scripts said Thursday it has received a letter demanding money from the company under the threat of exposing records of millions of patients.
The threat was made in an anonymous letter that the company turned over to federal investigators. The letter, received in early October, included personal information on 75 people covered by Express Scripts, including birth dates, social security numbers and prescription information.
Express manages prescription benefits for roughly 50 million people through thousands of clients, including health insurers, employers and union-sponsored plans.
A company spokesman said Express waited to reveal the breach "to give the investigation time to proceed and get under way."
"We believe informing the public now was the appropriate time to do so under the circumstances," said spokesman Steve Littlejohn.
Littlejohn said the company alerted customers whose information appeared in the letter but does not know whether additional persons' information was exposed. The company currently has no plans to individually contact other beneficiaries. Although laws vary, companies generally are legally obligated to contact only people whose information has definitely been exposed.
The company has set up a Web site for beneficiaries about the incident: esisupports.com.
According to the site, company staff believe they have identified the area where the data was stored and "have instituted enhanced controls."
The company said it has not received any reports of identity theft associated with the problem.
"We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act," company Chief Executive George Paz said.
Earlier this year 11 people were indicted on suspicion of stealing 41 million credit and debit card numbers. The case is believed to be the largest identity theft on record, and involved the breach of computer networks of BJ's Wholesale Club, Barnes & Noble and other retailers.
If Express determines all of its beneficiary information was exposed, it would likely set a new record, according to the Privacy Rights Clearinghouse, a nonprofit group that tracks data security problems.
More than 245 million records of U.S. citizens have been exposed since 2005, according to the group.
"The overall numbers are increasing, but it's not clear whether that's due to more states having laws that require their disclosure, or an actual increase in breaches," said Paul Stephens, the group's policy director.
Since 2003, 40 states have adopted laws requiring companies to notify people when their personal information has been exposed. There is currently no nationwide requirement.
Express Scripts shares fell $3.85, or 6.2 percent, to close at $57.93 on a day in which the Dow Jones industrial average fell nearly 5 percent.