Article Details

Cencora data breach exposes US patient info from 11 drug companies. Post updated on 5/25 to add three more pharmaceutical firms also impacted by the Cencora security breach. Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyberattack at Cencora, whom they partner with for pharmaceutical and business services. Cencora, formerly AmerisourceBergen, is a pharmaceutical services provider specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support. The Pennsylvania-based firm, with a presence in 50 countries, employs 46,000 people and has a revenue (2023) of $262 billion. In February 2024, Cencora disclosed a data breach in a Form 8-K filing with the SEC, stating that unauthorized parties gained access to its information systems and exfiltrated personal data. At the time, the company opted not to share any additional information regarding the incident and its potential impact on its clients. Also, no ransomware groups ever assumed responsibility for the attack. Today, the California Attorney General's office published multiple data breach notification samples submitted in the past couple of days by some of the largest pharmaceutical firms in the United States, all attributing their data exposure to the February Cencora incident. "Cencora, Inc. and its Lash Group affiliate partner with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to prescribed therapies through drug distribution, free trial offers, co-pay coupons, patient support and services, and other services," reads a related data breach notification from Novartis. "We take the privacy and protection of the information entrusted to us very seriously. Cencora is writing to let you know about an event that involved your personal information that Cencora maintains in connection with its patient support programs on behalf of Novartis Pharmaceuticals Corporation." The eight firms impacted by this breach, all using almost identical data breach notifications, are: The data breach notices warn that Cencora's internal investigation, which concluded on April 10, 2024, confirmed that the following information had been exposed: full name, address, health diagnosis, medications, and prescriptions. The letter notes that as of this time, there's no evidence that the exfiltrated information has been publicly disclosed on the internet or that it has been used for fraudulent purposes. As a response to the elevated risk for exposed individuals, Cencora is offering recipients two years of free identity protection and credit monitoring services through Experian, which they can take advantage of until August 30, 2024. BleepingComputer has reached out to Cencora to learn more about the data breach incident as well as the number of people impacted, but a spokesperson declined to provide additional details, pointing us to a news release issued last week.