Express Scripts Inc. (ESRX), the object of a 2008 extortion attempt by someone threatening to expose the personal data of patients in its drug plans, recently learned that the perpetrator took steps to prove he or she possesses more member records than those previously shown.

Since the threat was first made nearly a year ago, the St. Louis-based company, one of the largest U.S. pharmacy benefits managers, has sent notification letters to approximately 700,000 affected people, an Express Scripts spokeswoman said Wednesday. Information wasn't immediately available on how many of those letters stemmed from the latest move by the data breacher.

The Federal Bureau of Investigation informed Express Scripts in late August "that the perpetrator had recently taken action to prove that he possesses more members' records from the same period as those identified in the 2008 extortion attempt," the company said in an undated update on Express Scripts' support Web site.

"Express Scripts is in the process of notifying these members," the company said. "Express Scripts is unaware at this time of any actual misuse of members' information, but we understand the concern that this situation has caused our members."

Express Scripts spokeswoman Maria Palumbo told Dow Jones Newswires that the person who illegally obtained member records recently sent a data file to a law firm, which forwarded it to the FBI. Palumbo wouldn't identify the law firm, other than to say it was one that had filed a lawsuit against the company.

"This is a new development of the same incident that happened last fall," said Palumbo. The breacher now has proven the possession of additional records from that time, she explained.

The breach came to Express Scripts' attention in October 2008, when the company received an anonymous letter threatening to expose millions of member records on the Internet if an extortion demand wasn't satisfied. The letter included personal data on 75 members of the company's drug-benefit plans, including Social Security numbers, addresses, birth dates and, for some, prescription information. In November, some of Express Scripts' clients received similar letters.

Express Scripts notified all affected members and the FBI, which started an investigation. The company also established a $1 million reward for information leading to the arrest and conviction of those responsible for the data breach and extortion attempt, and contracted with Kroll Fraud Solutions, part of a Marsh & McClennan Cos. (MMC) unit, to assist members who believe they may be victims of identity theft because of the incident.

Express Scripts has taken aggressive action to enhance security operations and data handling procedures, said Palumbo.

After the most recent development, Express Scripts more than two weeks ago sent a letter to the New Hampshire attorney general saying it was notifying 1,771 individuals in that state alone that their personal data had been obtained without authorization. The letters sent to affected individuals indicate that some may be former members of Express Scripts' prescription-benefit plans.

"We did send letters to members across the country," said Palumbo.

The company said on its site that it "stands firm in our refusal to give in to the demands of the extortionist and will continue to cooperate fully with the FBI in their investigation."

The Express Scripts update and New Hampshire letter were reported in mid-September on databreaches.net, or Office of Inadequate Security, which follows such incidents.

Express Scripts, which doesn't typically release its total membership, has enrollment in the "tens of millions," said Palumbo.

The data breach occurs as the federal government and the health-care and information-technology industries are pushing for broad adoption of electronic health records and prescriptions and other forms of health IT.

Express Scripts, the third-largest pharmacy benefits manager in the U.S., will expand significantly after its planned acquisition of health insurer WellPoint Inc.'s (WLP) in-house PBM, NextRx, this year. The deal includes a 10-year contract for Express Scripts to provide services to WellPoint, the largest corporate U.S. health insurer by membership.

On the Web:

www.esisupports.com

http://doj.nh.gov/consumer/pdf/express_scripts.pdf

-By Dinah Wisenberg Brin, Dow Jones Newswires; 215-656-8285; dinah.brin@dowjones.com