Cencora Data Breach Exposes Information from Major Drug Companies

Penka Hristovska
Penka Hristovska Senior Editor
Published on: May 29, 2024
Penka Hristovska Penka Hristovska
Published on: May 29, 2024 Senior Editor

A data breach at drug distributor Cencora has compromised sensitive information, potentially impacting patients receiving medications from almost a dozen different drug manufacturers.

Cencora, previously AmerisourceBergen, along with its patient services unit Lash Group, has reported a data breach to the California attorney general’s office. Cencora first disclosed the breach in a February filing with the Securities and Exchange Commission, stating that the incident had no material impact on the company’s operations at that time.

“As of the date of this filing, the incident has not had a material impact on the company’s operations, and its information systems continue to be operational,” the filing reads. “The company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operations.”

Then, earlier this week, the California Attorney General’s office released several data breach notification samples submitted in recent days by major pharmaceutical firms in the US, all linking their data exposure to the February Cencora incident.

Companies impacted by the breach include Bristol Myers Squibb, Bayer, Genentech, Acadia, AbbVie, Novartis, Regeneron, Incyte, Dendreon Pharmaceuticals, Sumitomo Pharma, Endo, and GSK.

In letters sent to patients, Cencora explains the company discovered “data from its information systems had been exfiltrated.” The compromised information could include first and last names, addresses, birthdates, health diagnoses, and prescriptions.

However, there’s “no evidence that any of this information has been or will be publicly disclosed, or that any information was misused for fraudulent purposes,” Lash Group highlighted in a press release.

The company swiftly launched an investigation with the assistance of law enforcement, cybersecurity experts, and external legal advisors. By April 10, they confirmed that some customer information had been exposed in the breach.

The company is offering two years of free fraud detection and credit monitoring services to those potentially affected.

The number of individuals whose personal and health details were stolen remains unclear, as the California AG doesn’t mandate hacked companies to disclose that information.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor
Published on: May 29, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.