November 10th, 2008

ExpressScripts faces sum of personal health record fears

Posted by Dana Blankenhorn @ 11:50 am

Categories: Consumer Information, Ethics, General, IT Management, Internet, Medical IT, Medical Office IT, Medical Records, SaaS

Tags: Personal Health Record, Dana Blankenhorn, Fred, E-health, Healthcare

Executives at ExpressScripts woke last month to a nightmare.

The electronic health records company received a note from a blackmailer, threatening to release the Personal Health Records they had on patients to the whole world unless they were paid off.

ExpressScripts refused to pay. They issued a press release and launched a Web site to discuss the problem with customers.

Open source medicine advocate Fred Trotter alerted me to this today and picks up the story:

The blackmailer proved that he/she has access to the data by providing information on 75 Express Scripts customers.

The company has done a fine job of swallowing this bitter pill. They have done exactly the right thing by making a public announcement. This is not their fault and by choosing not to hide it they are demonstrating strong ethics in a tough situation.

I would much rather have my PHI with a company that will tell me when something like this happens rather than one that makes me “feel safe” by telling me nothing. I am a big fan of “the devil that you know”.

It’s not just medical records outfits which knuckle under. Most companies whose virtual offices are hacked by blackmailers hush the incidents up, afraid of a customer backlash and lawsuits.

Fred thinks there is a good chance the “attack vector” on this is an inside job. The next most likely scenario, a foreign hacker, would put every e-commerce company in the world under imminent threat.

But, as Jack Ryan teaches in Tom Clancy’s spy novels, it is much wiser in the long run to face these threats down and counter than to give in to blackmail.