Summarize

Simplifying... Inshort

Pharmaceutical company Cencora has confirmed a data breach from February, with over 1.43 million patients notified so far.
The breach, unrelated to other recent health data incidents, is considered one of the largest health-related data compromises of 2024.
However, Cencora is still struggling to reach all affected individuals due to outdated contact information.

Was a long read? Making it simpler...

Next Article

The data breach has affected over a million people

Pharma data breach: Cencora confirms patient information stolen in February

By Akash Pandey

Aug 03, 2024

11:17 am

What's the story

US-based pharmaceutical behemoth Cencora, has issued a warning to over one million people in the nation about a data breach that occurred earlier this year, according to TechCrunch. The company, formerly known as AmerisourceBergen until 2023, first reported the breach in May. It stated that the incident took place in February and involved health information such as patient names, postal addresses, dates of birth, health diagnoses, medications, and prescriptions.

Data source

Data sourced from drug makers

The breached data was obtained through Cencora's partnerships with drug makers for its patient support programs. The company collaborates with several pharmaceutical firms including AbbVie, Bayer, Pfizer, and Regeneron. However, Cencora has not disclosed details about what led to the data breach, such as whether the incident was due to malicious hackers or a security lapse within the organization. The company also didn't confirm the exact number of individuals notified about the incident.

Notification process

Over 1.43 million individuals notified

TechCrunch's analysis of published data breach notifications suggests that at least 1.43 million individuals have been alerted by Cencora about their compromised data. This figure was derived from examining data breach notices on the websites of several US state attorneys general, including those from Delaware, Montana, New Hampshire, Iowa, Massachusetts, Texas, and Washington. The most recent notification was issued by Cencora to affected individuals in mid-July, indicating that the pharmaceutical giant is still notifying individuals whose data was compromised.

Communication challenges

Cencora unable to reach all affected individuals

Cencora has admitted in its data breach notice that it cannot reach everyone affected due to outdated address information. When contacted by TechCrunch via email on Friday, company spokesperson Mike Iorfino did not dispute the number of individuals notified so far but declined to provide a more precise figure or comment further on the matter. This incident is considered one of the largest compromises of health-related information in 2024, per the US Department of Health and Human Services (HHS).

Unconnected incidents

Data breach unrelated to Change Healthcare incident

Cencora has clarified that its data breach is not connected to the ransomware attack and data breach at Change Healthcare, a health tech subsidiary of UnitedHealth. The latter incident is likely one of the largest health-related data breaches in US history, affecting at least 100 million US residents. This clarification comes amid a year marked by significant breaches, including those involving health insurance giant Kaiser and prescription management company Sav-Rx.