Several major pharmaceutical firms have reported data breaches stemming from the Cencora Data Breach in February 2024.
Cencora, which was formerly known as AmerisourceBergen, is a provider of pharmaceutical and business services that many large drug companies partner with for services such as drug distribution, specialty pharmacy solutions, consulting, and clinical trial support.
Cencora Data Breach: What Happened?
The breaches appear to be a result of the drug companies’ associations and data sharing with Cencora, which was the initial target of the February cyberattack on Cencora.
Cencora, headquartered in Pennsylvania, has a global footprint spanning 50 countries and employs 46,000 people. With 2023 revenues of $262 billion, it is a major player in the pharmaceutical industry.
In February 2024, Cencora disclosed a data breach in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), stating that unauthorized parties had gained access to its information systems and exfiltrated personal data.
At the time of disclosure, Cencora opted not to share additional information about the incident or its potential impact on clients. Furthermore, no ransomware groups stepped forward to claim responsibility for the Cencora data breach.
Today, the California Attorney General’s office publicly released data breach notification letters submitted in recent days by several major U.S. pharmaceutical companies. All of the notifications attributed the companies’ data exposures to the cyberattack on Cencora in February 2024.
This confirms that Cencora’s systems contained personal information from its client pharmaceutical firms and that unauthorized access to Cencora’s networks led to the theft of data now reported by these firms to California authorities.
The notifications disclosed by the California Attorney General shed new light on the scope and impact of the February incident initially reported by Cencora.
“Cencora, Inc. and its Lash Group affiliate partner with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to prescribed therapies through drug distribution, free trial offers, co-pay coupons, patient support and services, and other services,”
Reads a data breach notification from Novartis.
“We take the privacy and protection of the information entrusted to us very seriously. Cencora is writing to let you know about an event that involved your personal information that Cencora maintains in connection with its patient support programs on behalf of Novartis Pharmaceuticals Corporation.”
The 11 pharmaceutical firms impacted by the data breach are:
- Genentech, Inc.
- Incyte Corporation
- Acadia Pharmaceuticals Inc.
- Novartis Pharmaceuticals Corporation
- Sumitomo Pharma America, Inc.
- Bayer Corporation
- AbbVie Inc.
- GlaxoSmithKline Group
- Endo Pharmaceuticals Inc.
- Dendreon Pharmaceuticals LLC
- Regeneron Pharmaceuticals, Inc.
These data breach notices from the 11 pharmaceutical firms warn that Cencora’s internal investigation, which concluded on April 10, 2024, confirmed the following information had been improperly accessed: full name, address, health diagnosis, medications, and prescriptions.
The letter notes there is no evidence currently that the exfiltrated information has been publicly disclosed or used for fraudulent purposes.
In response to the increased risks faced by impacted individuals, Cencora is offering all recipients two years of free identity protection and credit monitoring services through Experian, which can be utilized until August 30, 2024.
The company’s spokesperson has declined to provide additional specifics of the Cencora data breach, referring back to a news release issued by the company last week.
