U.S. pharmaceutical company Cencora is informing affected individuals that their personal and sensitive medical data was stolen in a cyberattack and data breach earlier this year.
In letters sent this week, Cencora said the compromised data includes patient names, postal addresses, dates of birth, health diagnoses, and medications.
Cencora stated that the patient data was initially collected through partnerships with drug manufacturers involved in its patient support programs, including companies like Abbvie, Acadia, Bayer, Novartis, Regeneron, and others.
The company has not detailed the nature of the cyberattack, which began on February 21 and was publicly disclosed only after a notice was filed with government regulators on February 27. Formerly known as AmerisourceBergen until 2023, Cencora manages around 20% of the pharmaceuticals sold and distributed in the United States.
Cencora spokesperson Mike Iorfino told Truth Voices via email that the company has not disclosed how many individuals are affected by the breach or how many notifications have been sent so far.
This incident is the latest in a string of cyberattacks affecting the U.S. healthcare sector, following significant breaches and outages at UnitedHealth-owned Change Healthcare and the ongoing cyberattack that disrupted Ascension’s hospital network.
Cencora’s spokesperson asserted that there is “no connection” between their breach and the incidents at Change Healthcare and Ascension.
According to breach notifications filed by Cencora with U.S. state authorities, about half a million individuals have been notified since the breach was discovered. However, the number of affected individuals is expected to be significantly higher, as Cencora states on its website that it has served at least 18 million patients.
Cencora published a notice on its website stating it lacks address information to directly notify some individuals affected by the breach.
Representatives from Abbvie, Acadia, Bayer, and Regeneron did not respond to Truth Voices’s request for comments.
Novartis spokesperson Michael Meo confirmed that Novartis was “recently made aware of a cyber incident involving the patient services companies Cencora and its Canadian affiliate, Innomar Strategies, both of which have serviced Novartis.” However, he declined to provide further details or specify how many Novartis patients are affected. He also would not confirm whether Cencora has informed Novartis about the number of its affected patients.
Cencora reported $262 billion in revenue in 2023, a 10% increase from the previous year, according to its latest financials. The company does not disclose its cybersecurity expenditure.
Updated at 10:15 a.m. to amend the headline.
