US pharmaceutical giant Cencora says it is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyber attack and data breach earlier this year.
In letters to affected people sent this week, Cencora said data from its systems includes patients’ names, postal address and date of birth, as well as information about their health diagnosis and medications.
The pharmaceutical giant said it initially obtained patient data through partnerships with drugmakers it works with “in connection with patient support programs.” This includes patients of Abbvie, Acadia, Bayer, Novartis, Regeneron and other companies.
Cencora has not yet described the nature of the cyberattack, which began on February 21 and was not publicly disclosed until the company filed a notice with government regulators a week later on February 27. The company, known as AmerisourceBergen until 2023, manages about 20% of the pharmaceutical products sold and distributed across the United States.
Cencora spokesman Mike Iorfino told TechCrunch in an email that Cencora was unwilling to say whether the company has determined how many people are affected by the breach and how many people the company has notified to date.
This is the latest security incident to hit the US healthcare sector following a series of cyberattacks in recent months, following the massive data breach and permanent outages at UnitedHealth-owned Change Healthcare and the recent and ongoing cyberattack that knocked much of Ascension’s hospital network offline.
The Cencora spokesman said there was “no connection” between the incident at Cencora and the cyberattacks on Change and Ascension.
According to public data breach notifications Cencora filed with US government authorities seen by TechCrunch, Cencora has so far notified about half a million people since learning of the data breach. The number of people affected by the Cencora data breach is expected to be much higher. Cencora says on its website that it has served at least 18 million patients to date.
Cencora said it was published announcement on its website explaining that the company “does not have address information to provide immediate notification” for some individuals affected by the data breach.
Representatives for affected drugmakers Abbvie, Acadia, Bayer and Regeneron did not respond to TechCrunch’s request for comment.
Novartis spokesman Michael Meo confirmed that Novartis was “recently made aware of a cyber incident involving patient services companies Cencora and its subsidiary, Innomar Strategies in Canada, which provided services for Novartis,” but denied to further comment or say how many Novartis patients are affected by the data breach. The spokesman declined to say whether Cencora has told Novartis how many of its patients have been affected.
Cencora is on track for revenue of $262 billion in 2023, up 10% from the previous year, according to its latest financials. The company does not say how much it spends on cyber security.
Updated at 10:15 am. to modify the heading.
To contact this reporter, contact on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
