U.S. pharmaceutical giant Cencora is notifying affected individuals that their personal and sensitive medical information was stolen during a cyberattack and data breach earlier this year.
In letters sent to affected individuals this week, Cencora stated that the compromised data includes patient names, postal addresses, dates of birth, health diagnoses, and medications. This information was initially obtained through partnerships with drug makers involved in Cencora’s patient support programs, including Abbvie, Acadia, Bayer, Novartis, Regeneron, and others.
The nature of the cyberattack, which began on February 21, has not yet been described by Cencora. The breach was publicly disclosed a week later on February 27, when the company filed notice with government regulators. Previously known as AmerisourceBergen until 2023, Cencora handles approximately 20% of the pharmaceuticals sold and distributed across the United States.
Cencora spokesperson Mike Iorfino stated via email that the company has not determined how many individuals are affected by the breach or how many have been notified to date.
This incident is the latest in a series of cyberattacks targeting the U.S. healthcare sector. Recent months have seen significant breaches and outages, such as the massive data breach at UnitedHealth-owned Change Healthcare and the ongoing cyberattack that has disrupted much of Ascension’s hospital network.
Cencora’s spokesperson emphasized that there is “no connection” between their incident and the cyberattacks at Change and Ascension. Public data breach notifications filed by Cencora with U.S. state authorities indicate that the company has notified about half a million individuals since discovering the breach. However, the total number of affected individuals is expected to be much higher, as Cencora has served at least 18 million patients to date.
Cencora also published a notice on its website explaining that the company lacks address information to provide direct notice to some individuals affected by the breach.
Spokespeople for the affected drug makers Abbvie, Acadia, Bayer, and Regeneron did not respond to requests for comment. Novartis spokesperson Michael Meo confirmed that Novartis was “recently made aware of a cyber incident involving the patient services companies Cencora and its affiliate, Innomar Strategies in Canada,” which have both provided services for Novartis. However, Meo declined to comment further or disclose how many Novartis patients were affected by the data breach. He also did not confirm whether Cencora has provided Novartis with the number of its patients impacted.
In 2023, Cencora reported $262 billion in revenue, a 10% increase from the previous year, according to its latest financial statements. The company has not disclosed its cybersecurity expenditure.