Malware
Massive Cencora Data Breach Unveils Sensitive Patient Information from 11 Top Pharmaceutical Giants in the US
A Cencora data breach has exposed patient information from eight US drug companies. The leak stems from misconfigurations in a Cencora-owned Elasticsearch server, revealing over 37 thousand patient records.
Update: Adding three more pharmaceutical firms impacted by the Cencora security breach.
Several of the world’s largest drug companies have reported data breaches as a result of a February 2024 cyberattack on Cencora, a company they partner with for pharmaceutical and business services.
Previously known as AmerisourceBergen, Cencora is a pharmaceutical services provider specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support. This Pennsylvania-based company operates in 50 countries, employs 46,000 people, and reported a 2023 revenue of $262 billion.
In February 2024, Cencora disclosed a data breach in a Form 8-K filing with the SEC, revealing that unauthorized parties had accessed its information systems and extracted personal data. At the time, the company chose not to provide any further information about the incident or its potential impact on clients, and no ransomware groups took responsibility for the attack.
Recently, the California Attorney General’s office published a series of data breach notification samples submitted by some of the largest pharmaceutical firms in the United States, all attributing their data exposure to the February Cencora incident.
“Cencora, Inc. and its Lash Group affiliate partner with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to prescribed therapies through drug distribution, free trial offers, co-pay coupons, patient support and services, and other services,” reads a related data breach notification from Novartis.
“We take the privacy and protection of the information entrusted to us very seriously. Cencora is writing to let you know about an event that involved your personal information that Cencora maintains in connection with its patient support programs on behalf of Novartis Pharmaceuticals Corporation.”
The eleven firms impacted by this breach, all using almost identical data breach notifications, are:
- Novartis Pharmaceuticals Corporation – One of the largest pharmaceutical companies globally, with a strong presence in various therapeutic areas, including oncology, neuroscience, and immunology.
- Bayer Corporation – A large multinational company with significant operations in pharmaceuticals, consumer health, and agricultural products.
- AbbVie Inc – Known for its blockbuster drug Humira, AbbVie is a major player in immunology and oncology.
- Regeneron Pharmaceuticals, Inc. – Notable for its innovative treatments in ophthalmology, oncology, and immunology.
- Genentech, Inc. – A member of the Roche Group, Genentech is a leader in biotechnology and has made significant contributions to cancer treatment.
- Incyte Corporation – Focuses on oncology and hematology, with key products like Jakafi.
- Sumitomo Pharma America, Inc. – Part of the Sumitomo Pharma Co., Ltd., known for its diverse portfolio in psychiatry, neurology, and oncology.
- Acadia Pharmaceuticals Inc. – Specializes in central nervous system disorders and has a smaller market presence than the others in this list.
- GlaxoSmithKline Group – A global healthcare company known for its wide-ranging portfolio in pharmaceuticals, vaccines, and consumer healthcare, with significant efforts in respiratory diseases, HIV, and immuno-inflammation.
- Endo Pharmaceuticals Inc.– Specializes in pain management, urology, and endocrinology, with a notable presence in both branded and generic pharmaceuticals.
- Dendreon Pharmaceuticals LLC – Focuses primarily on oncology, particularly in the development and commercialization of immunotherapy treatments for prostate cancer.
The data breach notices warn that Cencora’s internal investigation, which concluded on April 10, 2024, confirmed that the following information had been exposed: full name, address, health diagnosis, medications, and prescriptions.
The letter notes that as of this time, there’s no evidence that the exfiltrated information has been publicly disclosed on the internet or used for fraudulent purposes.
In response to the increased risk for exposed individuals, Cencora is offering recipients two years of free identity protection and credit monitoring services through Experian, which they can take advantage of until August 30, 2024.
We have reached out to Cencora to learn more about the data breach incident and the number of people impacted, but a spokesperson declined to provide additional details, directing us to a news release issued last week.
Stay Informed and Take Action
In today’s digital world, it’s more important than ever to stay informed about cybersecurity and take action to protect your personal information. Make sure to keep coming back to learn more about the latest cybersecurity news, tips, and best practices to safeguard your data. And if you have any questions or concerns, don’t hesitate to contact us. We’re here to help.