Cyber Incident Victim: Express Scripts
Date:
Apr 2022
Location:
United States of America
Summary
Express Scripts experienced unauthorized access to certain customer accounts through its mobile application, where attackers utilized valid credentials to compromise accounts over a multi-day period in late April to early May. The breach exposed personal and medical information including names, prescribed medications, prescription numbers, dosage details, physician names, and associated pharmacies. Upon detection, the organization locked affected accounts, reset passwords, and advised customers to update credentials across other platforms sharing the same passwords, attributing the incident likely to credential reuse attacks. The exact number of impacted individuals remains undisclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Express Scripts, a pharmacy benefit management organization, experienced a security incident involving unauthorized access to certain customer accounts through its mobile application. The breach occurred between April 30 and May 3, 2022, with suspicious activity detected on May 1, 2022. Attackers gained entry using valid usernames and passwords, compromising accounts that contained protected health information. Exposed data included customer names, medication names, prescription numbers, dosage details, prescribing physicians' names, and associated pharmacy information. The organization identified no evidence suggesting broader system infiltration beyond the compromised user accounts.
Upon detecting the breach, Express Scripts immediately locked affected accounts and reset passwords to prevent further unauthorized access. The company attributed the incident to credential-based attacks, specifically noting the likelihood of password spraying—a technique exploiting reused credentials from unrelated data breaches. Affected individuals received notifications advising password changes across all platforms sharing identical credentials. Express Scripts did not disclose the total number of impacted individuals in its breach notification to the Massachusetts Attorney General. No evidence emerged indicating misuse of the accessed data, though the organization maintained precautionary measures including account security enhancements. The incident underscored risks associated with password reuse across multiple services, particularly in healthcare systems handling sensitive patient information.