The impact of the Cencora data breach is far more widespread than earlier thought as more than a dozen pharmaceutical giants including Novartis and GlaxoSmithKline disclose personal and health information data leaks stemming from the February breach incident.
Cencora Inc., formerly recognized as AmerisourceBergen, and its Lash Group affiliate announced in a February filing with the Securities and Exchange Commission (SEC) that the company faced a cybersecurity incident where “data from its information systems had been exfiltrated.”
Cencora is a major pharmacy company with over 46,000 employees and approximately $262.2 billion in revenue in 2023. Based in Pennsylvania, it operates in around 50 countries globally.
The popular American drug wholesaler did not disclose the extent of the data breach in its February SEC filing but did confirm at the time that some of the data exfiltrated in the attack could contain personal information.
Last week, however, Cencora and The Lash Group clients began notifying state Attorneys General about a data breach that stemmed from the February cybersecurity incident at Cencora. At least 15 pharmaceutical companies reported that the personal data of hundreds of thousands of individuals were compromised.
Notifications identified the following affected companies:
- AbbVie Inc.
- Acadia Pharmaceuticals Inc.
- Bayer Corporation
- Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
- Dendreon Pharmaceuticals LLC
- Endo Pharmaceuticals Inc.
- Genentech, Inc.
- GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
- Incyte Corporation
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
- Novartis Pharmaceuticals Corporation
- Pharming Healthcare, Inc.
- Regeneron Pharmaceuticals, Inc.
- Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
- Tolmar
State Attorneys General often announce data breaches without specifying the number of affected people but AG’s office in Texas does disclose the number impacting the state residents. Based on these partial numbers, at least 542,000 individuals seem to be impacted from the Cencora data breach, till date.
The Cyber Express reached out to Cencora for confirming the total number of individuals impacted to understand the full extent of the data breach but did not receive any communication till the time of publishing the article.
Cyber Forensic Findings from the Cencora Data Breach
Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack.
AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear.
U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people.
Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date.
The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.