Pharma giant Cencora this week confirmed that personally identifiable information (PII) and protected health information (PHI) was stolen in a February 2024 cyberattack.
The incident was identified on February 21 and disclosed a few days later in a regulatory filing, when the company said that personal information was exfiltrated from its systems.
In a July 31 filing with the Securities and Exchange Commission (SEC), Cencora said that “additional data, beyond what was initially identified, had been exfiltrated”.
The company has identified and completed its review of most of the exfiltrated data. This review has confirmed that the data included personally identifiable information and protected health information of individuals, most of which is maintained by a company subsidiary that provides patient support services, Cencora said.
Cencora also noted that the attack has not had a material impact on its operations, that its systems remained fully operational, and that no material impact on financial condition or results of operations is expected.
The pharmaceutical giant, which believes it has contained the incident, said it has provided notifications to the impacted individuals and regulatory agencies, but did not share details on the stolen information.
In May, however, Cencora subsidiary Lash Group announced that information stolen from its parent company includes names, dates of birth, health diagnosis, and/or medications and prescriptions.
Lash Group said it was in the process of notifying the impacted individuals, but also posted an incident notice on its website, as it did not have address information to mail letters to all of them.
In June, Cencora filed with the Office of the Vermont Attorney General a sample of the written notification letter, which shows that the impacted individuals were offered two years of free credit monitoring and remediation services.
Cencora did not say how many people were impacted, but said that the compromised information was shared with it by the pharmaceutical companies, pharmacies, and healthcare providers it partners with.
At least 40 of these partners disclosed impact from the data breach in regulatory filings with the Montana Office of Consumer Protection (OCP).
Cencora’s subsidiary AmerisourceBergen Specialty Group told the US Department of Health and Human Services in May that over 250,000 individuals were affected by a data breach, but its parent company claims to have served over 15 million patients to date.
Cencora has not shared details on the type of cyberattack it fell victim to, but the incident notice and the notification letters suggest that the company engaged in communication with the attackers and likely paid a ransom to ensure that the stolen information was deleted.
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident,” the company said.
In a report earlier this week, Zscaler revealed that a Fortune 50 company paid the Dark Angels ransomware group a $75 million ransom in early 2024. While Cencora is a Fortune 50 business, no ransomware group has claimed responsibility for targeting it.
Related: 4.3 Million Impacted by HealthEquity Data Breach
Related: City of Columbus Says Data Compromised in Ransomware Attack
Related: Indonesia Says a Cyberattack Has Compromised Its Data Center but It Won’t Pay the $8 Million Ransom
Related: Finnish Hacker Gets Prison for Accessing Thousands of Psychotherapy Records and Demanding Ransoms
