In February, Cencora (formerly known as AmerisourceBergen/Lash Group) filed notice of a cybersecurity incident with the Securities and Exchange Commission:
On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.
As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
Data Breach Times has not found any updated report to the SEC since then about whether Cencora considers this a material incident, but in the past few weeks at least 15 entities have started notifying patients of the breach. As first reported by DataBreaches.net, those entities are:
- AbbVie
- Acadia Pharmaceuticals
- Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation
- Dendreon
- Endo
- Genentech
- GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation
- Incyte Corporation
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc
- Novartis Pharmaceuticals
- Pharming Healthcare, Inc
- Regeneron Pharmaceuticals
- Sumitomo Pharma America, Inc.
- Tolmar
The number of patients affected for each entity has not yet been disclosed, but partial numbers available indicate more than 542,000 patients have already been notified.
The breach involved information stolen from a prescription supply program offered by a now-defunct subsidiary of Cencora, Medical Initiatives Inc. The Lash Group’s substitute notice describes the stolen information as including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions.
There has been no mention of any extortion attempt and no ransomware group has listed the incident on any leak site so far. The Lash Group’s notice states, in part:
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”
DataBreaches.net reported that they contacted Lash Group to ask, “Does Lash Group have any evidence or reason to believe that the information will NOT be publicly disclosed or misused? Did Lash Group or Cencora pay any ransom or extortion to try to protect the patient data?”
They do not appear to have gotten any reply.