Penka Hristovska
Published on: May 29, 2024

A data breach at drug distributor Cencora has compromised sensitive information, potentially impacting patients receiving medications from almost a dozen different drug manufacturers.

Cencora, previously AmerisourceBergen, along with its patient services unit Lash Group, has reported a data breach to the California attorney general’s office. Cencora first disclosed the breach in a February filing with the Securities and Exchange Commission, stating that the incident had no material impact on the company’s operations at that time.

“As of the date of this filing, the incident has not had a material impact on the company’s operations, and its information systems continue to be operational,” the filing reads. “The company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operations.”

Then, earlier this week, the California Attorney General’s office released several data breach notification samples submitted in recent days by major pharmaceutical firms in the US, all linking their data exposure to the February Cencora incident.

Companies impacted by the breach include Bristol Myers Squibb, Bayer, Genentech, Acadia, AbbVie, Novartis, Regeneron, Incyte, Dendreon Pharmaceuticals, Sumitomo Pharma, Endo, and GSK.

In letters sent to patients, Cencora explains the company discovered “data from its information systems had been exfiltrated.” The compromised information could include first and last names, addresses, birthdates, health diagnoses, and prescriptions.

However, there’s “no evidence that any of this information has been or will be publicly disclosed, or that any information was misused for fraudulent purposes,” Lash Group highlighted in a press release.

The company swiftly launched an investigation with the assistance of law enforcement, cybersecurity experts, and external legal advisors. By April 10, they confirmed that some customer information had been exposed in the breach.

The company is offering two years of free fraud detection and credit monitoring services to those potentially affected.

The number of individuals whose personal and health details were stolen remains unclear, as the California AG doesn’t mandate hacked companies to disclose that information.