Cyber Security
Pharma Giant Cencora Alerts Millions About Major Data Breach
02 August 2024
|
Paikan Begzad
Pharmaceutical leader Cencora has notified over a million individuals across the United States that their personal and protected health information was compromised in a data breach earlier this year.
In May, Cencora, formerly known as AmerisourceBergen until 2023, disclosed that a February incident led to the exposure of patient data. This data was acquired through Cencora's collaborations with pharmaceutical companies such as AbbVie, Bayer, Pfizer, and Regeneron for patient support programs. The compromised information includes patient names, postal addresses, dates of birth, health diagnoses, medications, and prescriptions.
Cencora has not specified the cause of the data breach, whether it was due to malicious hacking or an internal security failure. The company also did not confirm the total number of affected individuals. However analysis of data breach notifications filed with various state attorneys general indicates that at least 1.43 million people have been informed about the breach.
Our investigation involved reviewing notifications on the websites of state attorneys general in Delaware, Iowa, Massachusetts, Montana, New Hampshire, Texas, and Washington. These states require companies to disclose the number of residents affected by data breaches. Texas reported the highest number, with 1.05 million individuals notified.
Cencora’s most recent notifications to affected individuals were sent in mid-July, indicating the ongoing nature of their outreach. The actual number of those impacted is likely higher, as Cencora admitted it lacks up-to-date addresses for all affected individuals. To date, Cencora has served over 18 million patients.
When contacted for comment, Cencora spokesperson Mike Iorfino did not dispute the reported numbers but declined to provide a precise figure or further comment.
With 1.43 million individuals affected, this breach is among the largest health-related data compromises of 2024, according to the U.S. Department of Health and Human Services (HHS). Other significant breaches this year include Kaiser’s inadvertent exposure of 13.4 million patients' information to advertisers, Sav-Rx's notification to 2.8 million individuals about a cyberattack, and WebTPA's alert to 2.5 million individuals regarding stolen insurance information and Social Security numbers.
A February ransomware attack on Change Healthcare, a subsidiary of UnitedHealth, is also notable for affecting a vast number of Americans, potentially over 100 million. However, Cencora has clarified that its data breach is unrelated to the incident at Change Healthcare.