Red open padlock showing data breach of patient data

Pharmaceutical Giant Cencora Confirms Patient Data Breach Impacting over a Dozen Pharma Companies

U.S. pharmaceutical giant Cencora has disclosed that the February 2024 data breach leaked sensitive patient data, including diagnoses and medications.

Present in more than 50 countries, the Pennsylvania-based pharmaceutical distributor employs over 46,000 workers and reported $262.2 billion in sales in 2023.

According to a previous 8K filing with the U.S. Securities and Exchange Commission (SEC) on February 21, 2024, Cencora said it “learned that data from its information systems had been exfiltrated, some of which may contain personal information.”

The company initiated containment measures, launched an investigation with third-party cyber forensics, and notified relevant law enforcement agencies. Cencora also disclosed that the cyber attack did not disrupt the company’s computer systems.

Nevertheless, the company shared limited details regarding the scope of the cyber incident, including the number of victims and whether the data breach would materially impact the Company’s financial condition or results of operations.

Cencora has begun notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year.

Cencora data breach leaked sensitive patient data

Cencora completed its investigation on April 10, 2024. According to letters to affected individuals sent out this week, Cencora said that the data breach included sensitive patient data.

In the letters, Cencora disclosed that the data from its systems includes patient names, postal address, and date of birth, as well as information about their health diagnoses and medications.

So far, no evidence suggests that the leaked information has been publicly disclosed or misused for fraudulent purposes as a result of this incident. The company also believes that the threat actor will not leak the stolen patient data, suggesting that a ransom may have been paid.

Cencora is also offering 24 months of Experian IdentityWorks credit monitoring and remediation services to individuals whose personal information was involved in the incident.

“Yet another major healthcare breach in the US is impacting its citizens,” said Shawn Waldman, CEO and Founder of Secure Cyber Defense. “This time, sensitive medical data was compromised, including prescriptions and medical history information. This data can be used in phishing campaigns to take advantage of individuals and, potentially worse, steal their identities.”

Claiming that “we’re failing as a nation to secure our critical data and systems,” Waldman recommended “stringent auditing and controls to keep our healthcare and critical infrastructure systems more secure.”

Over 540,000 victims notified in the Cencora patient data breach

Although the number of individuals impacted by the Cencora patient data breach remains unknown, Cencora serves more than 18 million patients and handles about 20% of pharmaceuticals distributed across the United States.

So far, at least 540,000 individuals have been notified in numerous data breach notifications across several states.

However, the total number of impacted individuals is expected to increase. Cencora also warned that all victims may not receive data breach notification letters as it does have all customers’ address information to provide direct notifications.

At least 15 pharmaceutical giants have filed data breach notifications in various states linked to the Cencora cyber attack. They include Bayer, GlaxoSmithKline Group of Companies, Novartis Pharmaceuticals, and Bristol Myers Squibb, which accounts for more than half (267,740) of all the victims notified.

Meanwhile, the nature of the Cencora cyber attack remains unknown. Reuters reported that Cencora’s AmerisourceBergen Specialty Group has disclosed that the patient data breach stemmed from a prescription supply program from its now-defunct subsidiary Medical Initiatives Inc.

Explaining the source of the stolen information, the company said it “maintained this information through its partnership with pharmaceutical companies, pharmacies, and healthcare providers in connection with patient support programs, which provide patients access to medications and therapies.”