One of the nation’s largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

Brian Krebs on Computer Security, Washington Post (11/7/08)

The Washington Post reports that Express Scripts has been threatened with the release of “millions of consumer records” if the company does not meet the extornists’ demands for payment. Express Scripts has received a letter in which details on 75 individuals has been listed, including names, social security numbers, birthdates and in some cases prescription information.

Express Scripts is one of the largest pharmacy benefit managers, processing 500 million prescriptions a year for about 50 million Americans.

More about the investigation can be read in a press release available here.

The incident brings to mind the potential risks in managing protected health information. Not only do the risks include inadvertent breaches of privacy requirements, but also the possibility of malevolent attempts to compromise data security.

Aside from the need for due diligence in compliance with HIPAA’s privacy requirements, it is also well to note that many states have either enacted or are considering legislation to requiring consumer notification when there are security breaches.   Resources and guidance on managing data security and contingency plans in the event of a breach may be found here.