News Column

Tech Guru Is a Rising Star, But Did He Step Over the Line?

Page 2 of 1

For more than a decade, Donald Gravlin was a rising star in the consulting world -- a leading expert on health data management and technology.

Gravlin, 46, most recently a principal in the health care advisory practice at Ernst & Young, has been quoted in trade magazines as an authority on arcane topics such as electronic health record systems, medical devices, wireless LANs, blade computing, e-learning, and optical character recognition software.

Now, the technology guru and health care consultant is viewed as someone who may have stepped over the line, violating the basic ethical precepts of the accounting and consulting professions.

Express Scripts Holding Co., the nation's largest pharmacy benefit manager, has accused Gravlin of penetrating the corporate giant's headquarters in north St. Louis County and stealing a massive trove of secret documents.

In a lawsuit filed last week in St. Louis County Circuit Court in Clayton, Express Scripts accused "Big Four" accounting firm Ernst & Young and Gravlin of misappropriating the equivalent of 20,000 pages of confidential information and trade secrets in an effort to win more health care-related business from Express Scripts and its competitors.

Ernst & Young and Gravlin "were possessed with an evil motive," the suit alleges. "E&Y and Gravlin engaged in unlawful and malicious competitive intelligence gathering."

The FBI is investigating the matter.

"Once we became aware of the issue, we did turn it over to the FBI for further investigation," Express Scripts spokesman Brian Henry said in an email. "Federal law enforcement is taking this case very seriously and looking into it thoroughly."

The U.S. attorney's office in St. Louis declined to comment.

Express Scripts' lawsuit, which asks for punitive damages, said those secrets include "competitively sensitive cost and pricing information ... highly proprietary projections and integration strategy documents ... and highly proprietary business strategy and performance metrics documents."

In other words, the secrets are the keys to Express Scripts' breakaway success. The alleged thefts occurred around the time when the pharmacy benefit manager was completing its $30 billion acquisition of its chief rival, New Jersey-based Medco Health Solutions Inc.

The suit itself was astonishing because Express Scripts is considered such a tightly managed company. Its gleaming headquarters on the campus of the University of Missouri-St. Louis is a virtual fortress. And at Express Scripts' nearby mail-order facility, guests are forbidden from photographing the robotic machinery.

Judson Clark, an investment analyst at Edward Jones & Co. in Des Peres, said the allegedly stolen data was highly prized. "This is the first time I've seen something like this," he said. "For (pharmacy benefit management) companies, their pricing information is their business. ... If you could go contract by contract and piece together their pricing strategy, you'd have an advantage in the market."

Jeff Jonas, an analyst at Gabelli & Co, an investment management firm in Rye, N.Y., called such allegations "relatively rare. ... It also seems like a stretch that Ernst & Young would be complicit. I imagine there were pretty strict confidentiality and nondisclosure agreements. And it seems like the data is going to stay private and not be that big of an issue."

Ernst & Young, which has denied any wrongdoing, was hired to assist Express Scripts with tax accounting work and the tax-related aspects of its merger with Medco. Express Scripts consummated its purchase of Medco in April 2012. The consulting arrangement came to end in September after the alleged theft was discovered.

"If, God forbid, he did this, it's a very serious matter. It would be jail time and very heavy fines," said Alan Reinstein, a professor of accounting at Wayne State University in Detroit. "But the case doesn't pass my smell test.

"I've never heard of this happening before. There's no motive for it," he said. "If a guy uses this data to gain a client and the word gets out, his career would be over. There's a tremendous amount of risk. It doesn't make any sense that a guy would risk all of that."

Reinstein also said that Ernst & Young would have no motive to misappropriate Express Scripts' trade secrets. "E&Y probably knows this business very well. ... I cannot even imagine in a trillion years that E&Y as a firm would conspire to do something so stupid," he said. "The partner may be in trouble, especially if he tried to use this data for his own good, but it's hard to know how E&Y would be held responsible."

Gravlin, a partner and chief technology officer for Ernst & Young's health practice, has a master's degree in computer science. He worked for the past couple of years at Ernst & Young's offices in Clayton. He and his family live in a luxury home next to a golf course in Caseyville.

His resume on the LinkedIn website indicates that he worked previously for Deloitte Consulting LLP and Accenture. Years ago, he served as a vice president at Cap Gemini Ernst & Young, a New York-based consulting firm.

Gravlin emailed the sensitive data to himself by sending it to "at least five different email addresses," the suit alleges, and tried to "destroy evidence of his theft" by altering and deleting data on Express Scripts' computers and email servers.

According to the complaint, the case broke on Aug. 29, 2012, when Express Scripts' security team identified "a number of suspicious emails containing confidential and proprietary information and documents" that had been sent from an Ernst & Young tax consultant's computer at the Express Scripts headquarters to an odd-sounding personal email account at Google: gmale66666@gmail.com.

An internal probe revealed that those emails were sent by Gravlin, who had used Ernst & Young tax consultant Michelle Borman's user name and password, which she shared with other Ernst & Young employees, the complaint alleges. Borman, who works at the accounting firm's offices in Chicago, has not been named as a defendant.

"Since at least March 2012, Gravlin had been sneaking into Express Scripts' facilities with false credentials and using several E&Y employees' computer security credentials -- with E&Y's knowledge and consent -- to access and steal the companies' confidential and trade secret information," the suit alleges.

Ernst & Young, one of the world's largest accounting firms, has more than 167,000 employees and reported $8.2 billion in revenue for 2012. In promotional materials, Ernst & Young claims that the data privacy and information security of its clients is paramount.

"We immediately took all steps to secure the data," said Amy Call Well, an Ernst & Young spokeswoman in Washington. "We are not aware of any instance, nor does the company specify any instance, where (Express Scripts) data was inappropriately used for any purpose by Ernst & Young or its personnel, or transmitted to a third party."

Call Well said that when the accounting firm was notified about this matter several months ago, the firm promptly conducted an investigation and determined that its policies had been violated. "We believe that E&Y's prompt action to secure the data prevented any harm to ESI (Express Scripts)," she said. "Mr. Gravlin is no longer with the firm."

However, the lawsuit contends that Tom Thelen, the Ernst & Young partner overseeing the accounting firm's contract with Express Scripts, has acknowledged that "he knew that Gravlin had taken the companyies' information before Express Scripts' personnel discovered it, but failed to notify anyone at Express Scripts."

Ernst & Young determined that Gravlin removed "at least 952 files containing confidential and proprietary information and data" from Express Scripts, and in 2012 he performed consultant services for one of Express Scripts' competitors, the suit alleges.