Pharma data breach: Cencora confirms patient information stolen in February
What's the story
US-based pharmaceutical behemoth Cencora, has issued a warning to over one million people in the nation about a data breach that occurred earlier this year, according to TechCrunch. The company, formerly known as AmerisourceBergen until 2023, first reported the breach in May. It stated that the incident took place in February and involved health information such as patient names, postal addresses, dates of birth, health diagnoses, medications, and prescriptions.
Data source
Data sourced from drug makers
The breached data was obtained through Cencora's partnerships with drug makers for its patient support programs. The company collaborates with several pharmaceutical firms including AbbVie, Bayer, Pfizer, and Regeneron. However, Cencora has not disclosed details about what led to the data breach, such as whether the incident was due to malicious hackers or a security lapse within the organization. The company also didn't confirm the exact number of individuals notified about the incident.
Notification process
Over 1.43 million individuals notified
TechCrunch's analysis of published data breach notifications suggests that at least 1.43 million individuals have been alerted by Cencora about their compromised data. This figure was derived from examining data breach notices on the websites of several US state attorneys general, including those from Delaware, Montana, New Hampshire, Iowa, Massachusetts, Texas, and Washington. The most recent notification was issued by Cencora to affected individuals in mid-July, indicating that the pharmaceutical giant is still notifying individuals whose data was compromised.
Communication challenges
Cencora unable to reach all affected individuals
Cencora has admitted in its data breach notice that it cannot reach everyone affected due to outdated address information. When contacted by TechCrunch via email on Friday, company spokesperson Mike Iorfino did not dispute the number of individuals notified so far but declined to provide a more precise figure or comment further on the matter. This incident is considered one of the largest compromises of health-related information in 2024, per the US Department of Health and Human Services (HHS).
Unconnected incidents
Data breach unrelated to Change Healthcare incident
Cencora has clarified that its data breach is not connected to the ransomware attack and data breach at Change Healthcare, a health tech subsidiary of UnitedHealth. The latter incident is likely one of the largest health-related data breaches in US history, affecting at least 100 million US residents. This clarification comes amid a year marked by significant breaches, including those involving health insurance giant Kaiser and prescription management company Sav-Rx.