SUFFOLK, Va. (WAVY) — Stephanie Godfrey says she was eating dinner last week when emails started flooding her inbox.
“I have watch, so it started vibrating a lot, so I look down and it was Express Scripts, Express Scripts, Express Scripts,” said Godfrey
Godfrey says she uses the company Express Scripts, which is a pharmacy benefit manager that provides people access to medicine they need.
So she thought the emails could be about prescription for her household.
But when the emails kept coming in in bulk, and she ended up with 9,000 of them, she knew something was wrong.
She realized these emails were about other people’s prescriptions.
“When you open it you can just see the last four of the prescription number and it’ll say credit card and that’s when we realized these aren’t ours,” said Godfrey.
Godfrey called the company.
“I spent an hour and 24 minutes on the phone with them,” she said.
But the emails kept coming.
“The whole time I’m thinking what if I’m not the only one?” said Godfrey.
Godfrey knew she wouldn’t do anything with the emails, but was worried someone else was getting them too.
10 On Your Side reached out to the company on Friday, and Godfrey says it was only after our call that the emails stopped.
Express Scripts sent 10 On Your Side these statements:
“We are aware of the issue. It was caused by an error in our system which has been addressed. It is very limited in scope – only two Express Scripts members have received emails in error and we have been in contact with both of them to ensure no information is compromised. We regret the error, and reacted as soon as we were made aware of it.
As always, we are committed to protecting patient information. Our initial research indicates that limited personal information was in the e-mails. Additionally, our research indicates that no individual last names or identification numbers were included.”
They later added, “In talking to our information security team, a few more things to share.
The member’s email preferences were to not receive personal health information, and from our analysis, it appears that she did not receive any PHI in the emails that were sent to her.While it is regrettable this happened, it is important to understand that PHI — like a name of a medicine or a medical condition — does not appear to have been shared in the emails.”