Cencora Data Breach Exposes Millions Of Patients To Identity Theft Featured

Almost a dozen pharmaceutical companies, including several major players, have lost sensitive customer data due to a supply chain cyberattack that trickled down from pharma giant Cencora.

A class action lawsuit was recently filed against pharmaceutical giant Cencora in the wake of it’s announcement that highly sensitive personal and medical information was stolen from its servers during a cyberattack earlier this year.

In late February 2024, Cencora, a drug wholesale company, filed a Form 8-K with the Securities and Exchange Commission (SEC) announcing that experienced a data breach, but offered no details.

Cencora, until recently known as AmerisourceBergen, is a healthcare provider whose solutions are used by manufacturers, providers and pharmacies to improve product access and supply chain efficiency. 

The Company to date still has not announced how many individuals were affected by the data breach. Given it handles about 20% of the pharmaceuticals sold and distributed throughout the United States, the number of affected individuals could run into the millions.

What Happened?

Cencora identified unauthorized access to their IT systems on February 21, 2024. The breach was severe, with malicious actors exfiltrating data from the company’s servers. Cencora has been collaborating with law enforcement and cybersecurity experts to investigate the extent of the breach and mitigate its impact​ (Security Daily Review)​.

Patients of Client Pharmaceuticals Also Affected By the Cencora Breach

As of May 27th, 11 pharmaceutical companies have submitted almost identical breach notification letters to the California Attorney General’s office – all claiming a data breach as a result of the Cencora incident.

These affected companies include –

  • Novartis Pharmaceuticals Corporation,
  • Bayer Corporation,
  • AbbVie,
  • Regeneron Pharmaceuticals,
  • Genentech,
  • Incyte Corporation,
  • Sumitomo Pharma America,
  • Acadia Pharmaceuticals,
  • GlaxoSmithKline Group,
  • Endo Pharmaceuticals, and
  • Dendreon Pharmaceuticals

Cencora’s investigation, which concluded in mid-April 2024, found the incident to be a data smash-and-grab, rather than a ransomware attack – so the company does not expect the attack to have a significant effect on its operations or financial status. Cencora reported revenues of $262.2 billion in 2023.

Cencora has so far notified about half a million individuals since learning of the data breach. The number of individuals affected by the Cencora data breach is expected to be far higher. Cencora says on its website that it has served at least 18 million patients to date.

What Information Was Stolen?

According to filings submitted by client pharmaceuticals to the California Attorney General, the companies lost customers’ full names, postal addresses, health diagnoses, medications, and prescriptions. 

In letters to affected individuals sent out this week, Cencora said that the data from its systems includes patient names, their postal address and date of birth, as well as information about their health diagnosis and medications.

The pharma giant said it had initially obtained patients’ data through partnerships with the drug makers it works with “in connection with its patient support programs.”

What is Cencora Doing To Protect My Identity?

Citing the genuine risk of identity theft, phishing, and other forms of attacks, individuals affected by the breach are being offered two years of identity protection and credit monitoring services.

What Can Hackers Do With My Information?

Stolen PII and PHI can be used to commit identity theft, open new credit accounts, make unauthorized purchases or obtain loans. Cyber-criminals have recently targeted America’s essential industries and in so doing have forced millions of Americans to face the fallout from these attacks.

Leaked or stolen data can be sold on the dark web forums and may be used for fraud and medical identity theft, a type of fraud, where threat actors use stolen information to submit forged claims to insurers.

Clients affected by the breach are exposed to a heightened and imminent risk of fraud and identity theft. They must now and in the future closely monitor their financial accounts to guard against identity theft and fraud.

If you receive a data breach notification from Cencora, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options at no cost to you. For more information, please review these recommendations.

Protect Your Identity. Join the Cencora Data Breach Class Action.

If you receive a notification letter from Cencora, you are at permanent risk of identity theft and the devastating financial and legal consequences that go along with it.

You may be eligible to participate in a class action lawsuit to recover compensation for loss of privacy, time spent dealing with the breach, out-of-pocket costs, and more.

The lawsuit looks to cover anyone in the USA whose private information was compromised by the breach announced by Cencora.

Please complete the below form shown on this page and a data breach attorney will contact you. There is no cost to you.


Leave a Reply

Your email address will not be published. Required fields are marked *