Data breach at medical giant Cencora exposes info from multiple drug companies

News
By
published

Almost a dozen drug providers report losing sensitive data

healthcare
(Image credit: Shutterstock)

Almost a dozen pharmaceutical companies, including several major players, have lost sensitive customer data due to a supply chain cyberattack that trickled down from pharma giant Cencora.

In late February 2024, drug wholesale company Cencora (previously known as AmerisourceBergen) filed a Form 8-K with the Securities and Exchange Commission (SEC), reporting a data breach incident, without going into too many details. 

Now, BleepingComputer has found 11 pharmaceutical companies, all submitting almost identical breach notification letters to the California Attorney General’s office, and all claiming a data breach as a result of the Cencora incident.

Identity theft and phishing

The affected companies are Novartis Pharmaceuticals Corporation, Bayer Corporation, AbbVie, Regeneron Pharmaceuticals, Genentech, Incyte Corporation, Sumitomo Pharma America, Acadia Pharmaceuticals, GlaxoSmithKline Group, Endo Pharmaceuticals, and Dendreon Pharmaceuticals.

The companies lost customers’ full names, postal addresses, health diagnoses, medications, and prescriptions. 

At this time, there doesn't appear to be any evidence of data misuse, however, since there is genuine risk of identity theft, phishing, and other forms of attacks, the exposed individuals will be offered two years of free identity protection and credit monitoring through Experian. 

Cencora’s investigation, which apparently concluded in mid-April 2024, found the incident to be a data smash-and-grab, rather than a ransomware attack - so the company does not expect the attack to have a significant effect on its operations or financial status. However, there is always the possibility of a class-action lawsuit, or the EU investigating if there was a breach of GDPR.

Cencora is a pharmacy behemoth with more than 46,000 employees, and roughly $262.2 billion in revenue, in 2023 alone. It is based out of Pennsylvania and operates in some 50 countries around the world. While all 11 of the victims are pharma giants, Novartis can be singled out as one of the world’s biggest companies in the industry, with significant operations in oncology, neuroscience, and immunology.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.