Cencora Cyberattack Affects Pharmaceutical Companies

by | Jun 2, 2024

Cencora, Inc. (earlier known as AmerisourceBergen), and its Lash Group affiliate, were impacted by a cyberattack. Cencora reported the incident in a Securities and Exchange Commission (SEC) filing in February 2024. During that time, the scope of the data breach is not yet confirmed though Cencora reported in the SEC filing the exfiltration of data during the attack.

Cencora based in Conshohocken, PA works with pharmaceutical companies, healthcare organizations, and pharmacies. It provides services, such as business analytics and technology, patient assistance and services, drug distribution, and other services. About 20% of pharmaceutical goods that are marketed and distributed in America are managed by Cencora.

Recently, customers of Cencora and The Lash Group began informing state Attorneys General concerning the data breach. The total number of impacted customers is not yet confirmed, however, the breach is identified to have impacted a minimum of 15 pharmaceutical firms and involved the stolen personal information of thousands of people. According to the breach notifications submitted to state Attorneys General to date, the pharmaceutical companies listed below are impacted:

  • Acadia Pharmaceuticals Inc.
  • AbbVie Inc.
  • Bristol Myers Squibb Patient Assistance Foundation
  • Bristol Myers Squibb Company
  • Bayer Corporation
  • Dendreon Pharmaceuticals LLC
  • Endo Pharmaceuticals Inc.
  • Genentech, Inc.
  • GlaxoSmithKline Group of Companies
  • GlaxoSmithKline Patient Access Programs Foundation
  • Incyte Corporation
  • Novartis Pharmaceuticals Corporation
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
  • Pharming Healthcare, Inc.
  • Regeneron Pharmaceuticals, Inc
  • Sunovion Pharmaceuticals Inc / Sumitomo Pharma America, Inc.
  • Tolmar

Although State Attorneys General frequently post data breach notices, they don’t always say the number of persons affected, thus the enormity of the breach is not known at this time. Upon discovering the cyberattack on February 21, 2024, Cencora took action right away to restrict the attack and avoid more unauthorized access. According to the forensic investigation, a threat actor had extracted data files from its systems, which contained patient information given by its customers for its patient support services. AmerisourceBergen Specialty Group (ABSG), a department of Cencora, stated the breach affected the data of a prescription supply system managed by the now non-existing subsidiary known as Medical Initiatives Inc.

On April 10, 2024, Cencora reported that the stolen information involved first and last names, addresses, birth dates, medical diagnoses, and/or medicines and prescription drugs. According to Cencora’s investigation, this incident is not associated with other big healthcare cyberattacks like the cyberattacks on Ascension and Change Healthcare. During the time of issuing breach notifications, Cencora/LashGroup stated they did not know of any attempted or actual improper use of the stolen information and did not discover any public exposure of the stolen information. Although data misuse was not confirmed, the impacted persons were provided two years of credit monitoring and identity theft protection services for free. Cencora also took steps to strengthen defenses (likely including HIPAA training) to avoid the same security breaches later. As of this publication, there is no information regarding the cybercriminal group responsible for the cyberattack.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy