Massive Cencora Data Breach Unleashes Sensitive Patient Information from 11 Top Pharmaceutical Giants in the US

Post updated on 5/25 to add three more pharmaceutical firms also impacted by the Cencora security breach.

Imagine your trusted doctor prescribing medication and having the details of your health condition exposed to the world. That’s what happened when some of the largest drug companies in the world faced data breaches due to a February 2024 cyberattack on Cencora, a pharmaceutical services provider they partner with.

Until now, Cencora, a Pennsylvania-based company formerly known as AmerisourceBergen, has been a major player in the pharmaceutical industry, specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support. With a presence in 50 countries, employing 46,000 people, and boasting a 2023 revenue of $262 billion, they seemed like a company that could protect its clients’ data.

Unfortunately, that wasn’t the case. In February 2024, Cencora disclosed a data breach in a Form 8-K filing with the SEC, stating that unauthorized parties gained access to its information systems and exfiltrated personal data. At the time, the company opted not to share any additional information regarding the incident and its potential impact on its clients. Also, no ransomware groups ever assumed responsibility for the attack.

Major pharmaceutical firms impacted

Today, the California Attorney General’s office published multiple data breach notification samples submitted in the past couple of days by some of the largest pharmaceutical firms in the United States, all attributing their data exposure to the February Cencora incident.

These firms, which include Novartis, Bayer, AbbVie, Regeneron Pharmaceuticals, and Genentech, had one thing in common: they all relied on Cencora and its Lash Group affiliate to facilitate access to prescribed therapies through drug distribution, free trial offers, co-pay coupons, patient support and services, and other services.

As a result of the breach, the following sensitive information was exposed: full name, address, health diagnosis, medications, and prescriptions. The eleven companies impacted by this breach have all issued almost identical data breach notifications.

While there is no evidence that the exfiltrated information has been publicly disclosed or used for fraudulent purposes, the potential consequences are significant. Imagine having your personal medical information exposed to the world, or worse, used by criminals for nefarious purposes.

What’s being done to help?

To combat the risk to exposed individuals, Cencora is offering recipients two years of free identity protection and credit monitoring services through Experian, which they can take advantage of until August 30, 2024.

While we commend Cencora for taking steps to help affected individuals, it’s important to recognize that these breaches highlight an ongoing issue in the cybersecurity world. As the old adage goes, “an ounce of prevention is worth a pound of cure.”

What can you do?

As an individual, it’s essential to stay vigilant and protect your personal information as best you can. But it’s also important to demand more from the companies you trust with your data. Companies need to do better to protect their clients’ information and prevent cyberattacks like this from happening in the first place.

If you’re concerned about your own cybersecurity or that of your business, we’re here to help. Our IT Services team has the knowledge, experience, and resources to help you stay safe in an increasingly risky digital world. Contact us today to learn more and take the first step in protecting your valuable data.