Data breach at pharma partner Cencora puts sensitive patient information at risk

A data breach at drug distributor Cencora has left sensitive information vulnerable, with patients on medicines from a dozen drugmakers potentially affected.

Cencora, formerly known as AmerisourceBergen, and its patient services unit Lash Group have submitted a data breach notification to the California attorney general’s office. In letters to patients, Cencora explained that it learned “data from its information systems had been exfiltrated” on Feb. 21.

The company quickly kicked off an investigation aided by law enforcement, cybersecurity experts and outside lawyers. On April 10, the company confirmed that some customer information had been exposed in the breach.

The company sent letters to patients receiving medicines marketed by Bristol Myers Squibb, Bayer, Genentech, Acadia, AbbVie, Novartis, Regeneron, Incyte, Dendreon Pharmaceuticals, Sumitomo Pharma, Endo and GSK.

The information involved could include first and last names, addresses, birthdates, health diagnoses and prescriptions, Cencora warned.

However, there is “no evidence that any of this information has been or will be publicly disclosed, or that any information was misused for fraudulent purposes,” the letters emphasized.

The company is offering free fraud detection and credit monitoring for two years to those who may be affected.

Cencora first disclosed the breach in a February Securities and Exchange Commission filing (PDF), noting that the incident had no material impact on the company’s operations at the time.

“The Lash Group and its affiliates take this incident and the security of information entrusted to them very seriously,” the Cencora subsidiary said in a recent press release, adding that it is “working with cybersecurity experts to reinforce its systems and informant security protocols” to prevent future incidents.

Data breaches have become somewhat common in the industry in recent years. Patients using Johnson & Johnson’s patient assistance program, Janssen CarePath, last year faced a similar situation when a technical flaw allowed “unauthorized access” to personal information, J&J service provider IBM reported at the time. J&J ultimately sent a letter to all customers out of an “abundance of caution.”

More recently, the Change Healthcare cyberattack has put a brighter spotlight on the issue. That February hack may have impacted “a substantial proportion of people in America,” Change’s parent company, UnitedHealth Group, disclosed in April.