Eight drug companies information stolen due to Cencora data breach

U.S. pharmaceutical giant Cencora says it is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year. 

Eight drug companies in the world have disclosed data breaches due to a February 2024 cyberattack at Cencora, whom they partner with for pharmaceutical and business services.

Cencora, formerly AmerisourceBergen, is a pharmaceutical services provider specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support.

In letters to affected individuals sent out this week, Cencora said that the data from its systems includes patient names, their postal address and date of birth, as well as information about their health diagnosis and medications.

In February 2024, Cencora disclosed a data breach in a Form 8-K filing with the SEC, stating that unauthorized parties gained access to its information systems and exfiltrated personal data.

The pharma giant said it had initially obtained patients’ data through partnerships with the drug makers it works with “in connection with its patient support programs.

The eight firms impacted by this breach, all using almost identical data breach notifications, are:

  1. Novartis Pharmaceuticals Corporation – One of the largest pharmaceutical companies globally, with a strong presence in various therapeutic areas including oncology, neuroscience, and immunology.
  2. Bayer Corporation – A large multinational company with significant operations in pharmaceuticals, consumer health, and agricultural products.
  3. AbbVie Inc. – Known for its blockbuster drug Humira, AbbVie is a major player in immunology and oncology.
  4. Regeneron Pharmaceuticals, Inc. – Notable for its innovative treatments in ophthalmology, oncology, and immunology.
  5. Genentech, Inc. – A member of the Roche Group, Genentech is a leader in biotechnology and has made significant contributions to cancer treatment.
  6. Incyte Corporation – Focuses on oncology and hematology, with key products like Jakafi.
  7. Sumitomo Pharma America, Inc. – Part of the Sumitomo Pharma Co., Ltd., known for its diverse portfolio in psychiatry, neurology, and oncology.
  8. Acadia Pharmaceuticals Inc. – Specializes in central nervous system disorders and has a smaller market presence than the others.

Cencora has not yet described the nature of the cyberattack, which began on February 21 and was not publicly disclosed until the company filed notice with government regulators a week later on February 27. The company, known as AmerisourceBergen until 2023, handles around 20% of the pharmaceuticals sold and distributed throughout the United States.

As a response to the elevated risk for exposed individuals, Cencora is offering recipients two years of free identity protection and credit monitoring services through Experian, which they can take advantage of until August 30, 2024.

According to the public data breach notifications filed by Cencora with U.S. state authorities Cencora has so far notified about half a million individuals since learning of the data breach. The number of individuals affected by the Cencora data breach is expected to be far higher. Cencora says on its website that it has served at least 18 million patients to date.