Cencora, Inc. (earlier known as AmerisourceBergen), and its Lash Group affiliate, were impacted by a cyberattack. Cencora reported the incident in a Securities and Exchange Commission (SEC) filing in February 2024. During that time, the scope of the data breach is not yet confirmed though Cencora reported in the SEC filing the exfiltration of data during the attack.
Cencora based in Conshohocken, PA works with pharmaceutical companies, healthcare organizations, and pharmacies. It provides services, such as business analytics and technology, patient assistance and services, drug distribution, and other services. About 20% of pharmaceutical goods that are marketed and distributed in America are managed by Cencora.
Recently, customers of Cencora and The Lash Group began informing state Attorneys General concerning the data breach. The total number of impacted customers is not yet confirmed, however, the breach is identified to have impacted a minimum of 15 pharmaceutical firms and involved the stolen personal information of thousands of people. According to the breach notifications submitted to state Attorneys General to date, the pharmaceutical companies listed below are impacted:
- Acadia Pharmaceuticals Inc.
- AbbVie Inc.
- Bristol Myers Squibb Patient Assistance Foundation
- Bristol Myers Squibb Company
- Bayer Corporation
- Dendreon Pharmaceuticals LLC
- Endo Pharmaceuticals Inc.
- Genentech, Inc.
- GlaxoSmithKline Group of Companies
- GlaxoSmithKline Patient Access Programs Foundation
- Incyte Corporation
- Novartis Pharmaceuticals Corporation
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
- Pharming Healthcare, Inc.
- Regeneron Pharmaceuticals, Inc
- Sunovion Pharmaceuticals Inc / Sumitomo Pharma America, Inc.
- Tolmar
Although State Attorneys General frequently post data breach notices, they don’t always say the number of persons affected, thus the enormity of the breach is not known at this time. Upon discovering the cyberattack on February 21, 2024, Cencora took action right away to restrict the attack and avoid more unauthorized access. According to the forensic investigation, a threat actor had extracted data files from its systems, which contained patient information given by its customers for its patient support services. AmerisourceBergen Specialty Group (ABSG), a department of Cencora, stated the breach affected the data of a prescription supply system managed by the now non-existing subsidiary known as Medical Initiatives Inc.
On April 10, 2024, Cencora reported that the stolen information involved first and last names, addresses, birth dates, medical diagnoses, and/or medicines and prescription drugs. According to Cencora’s investigation, this incident is not associated with other big healthcare cyberattacks like the cyberattacks on Ascension and Change Healthcare. During the time of issuing breach notifications, Cencora/LashGroup stated they did not know of any attempted or actual improper use of the stolen information and did not discover any public exposure of the stolen information. Although data misuse was not confirmed, the impacted persons were provided two years of credit monitoring and identity theft protection services for free. Cencora also took steps to strengthen defenses (likely including HIPAA training) to avoid the same security breaches later. As of this publication, there is no information regarding the cybercriminal group responsible for the cyberattack.