HispanicBusiness

Ernst & Young, which has denied any wrongdoing, was hired to assist Express Scripts with tax accounting work and the tax-related aspects of its merger with Medco. Express Scripts consummated its purchase of Medco in April 2012. The consulting arrangement came to end in September after the alleged theft was discovered.

"If, God forbid, he did this, it's a very serious matter. It would be jail time and very heavy fines," said Alan Reinstein, a professor of accounting at Wayne State University in Detroit. "But the case doesn't pass my smell test.

"I've never heard of this happening before. There's no motive for it," he said. "If a guy uses this data to gain a client and the word gets out, his career would be over. There's a tremendous amount of risk. It doesn't make any sense that a guy would risk all of that."

Reinstein also said that Ernst & Young would have no motive to misappropriate Express Scripts' trade secrets. "E&Y probably knows this business very well. ... I cannot even imagine in a trillion years that E&Y as a firm would conspire to do something so stupid," he said. "The partner may be in trouble, especially if he tried to use this data for his own good, but it's hard to know how E&Y would be held responsible."

Gravlin, a partner and chief technology officer for Ernst & Young's health practice, has a master's degree in computer science. He worked for the past couple of years at Ernst & Young's offices in Clayton. He and his family live in a luxury home next to a golf course in Caseyville.

His resume on the LinkedIn website indicates that he worked previously for Deloitte Consulting LLP and Accenture. Years ago, he served as a vice president at Cap Gemini Ernst & Young, a New York-based consulting firm.

Gravlin emailed the sensitive data to himself by sending it to "at least five different email addresses," the suit alleges, and tried to "destroy evidence of his theft" by altering and deleting data on Express Scripts' computers and email servers.

According to the complaint, the case broke on Aug. 29, 2012, when Express Scripts' security team identified "a number of suspicious emails containing confidential and proprietary information and documents" that had been sent from an Ernst & Young tax consultant's computer at the Express Scripts headquarters to an odd-sounding personal email account at Google: gmale66666@gmail.com.

An internal probe revealed that those emails were sent by Gravlin, who had used Ernst & Young tax consultant Michelle Borman's user name and password, which she shared with other Ernst & Young employees, the complaint alleges. Borman, who works at the accounting firm's offices in Chicago, has not been named as a defendant.

"Since at least March 2012, Gravlin had been sneaking into Express Scripts' facilities with false credentials and using several E&Y employees' computer security credentials -- with E&Y's knowledge and consent -- to access and steal the companies' confidential and trade secret information," the suit alleges.

Ernst & Young, one of the world's largest accounting firms, has more than 167,000 employees and reported $8.2 billion in revenue for 2012. In promotional materials, Ernst & Young claims that the data privacy and information security of its clients is paramount.

"We immediately took all steps to secure the data," said Amy Call Well, an Ernst & Young spokeswoman in Washington. "We are not aware of any instance, nor does the company specify any instance, where (Express Scripts) data was inappropriately used for any purpose by Ernst & Young or its personnel, or transmitted to a third party."

Call Well said that when the accounting firm was notified about this matter several months ago, the firm promptly conducted an investigation and determined that its policies had been violated. "We believe that E&Y's prompt action to secure the data prevented any harm to ESI (Express Scripts)," she said. "Mr. Gravlin is no longer with the firm."

However, the lawsuit contends that Tom Thelen, the Ernst & Young partner overseeing the accounting firm's contract with Express Scripts, has acknowledged that "he knew that Gravlin had taken the companyies' information before Express Scripts' personnel discovered it, but failed to notify anyone at Express Scripts."

Ernst & Young determined that Gravlin removed "at least 952 files containing confidential and proprietary information and data" from Express Scripts, and in 2012 he performed consultant services for one of Express Scripts' competitors, the suit alleges.