Business
US drug maker Cencora says Americans’ health information stolen in data breach
U.S. drug maker Cencora says it is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year.
In letters to affected individuals sent out this week, Cencora said that the data from its systems includes patient names, their postal address and date of birth, as well as information about their health diagnosis and medications.
The pharmaceutical giant said it had initially obtained patients’ data through partnerships with other drug makers “in connection with its patient support programs.” That includes patients of Abbvie, Acadia, Bayer, Novartis, Regeneron, and other businesses.
Cencora has not yet described the nature of the cyberattack, which had began on February 21 and was not publicly disclosed until the company filed notice with government regulators a week later on February 27. The company, known as AmerisourceBergen until 2023, handles around 20% of the pharmaceuticals sold and distributed throughout the United States.
Cencora spokesperson Mike Iorfino told TechCrunch in an email that Cencora was unwilling to say if the company has determined how many individuals are affected by the breach, and how many individuals the company has notified to date.
This is the latest security incident to hit the U.S. healthcare sector following a spate of cyberattacks in recent months, following the huge data breach and lasting outages at UnitedHealth-owned Change Healthcare and the recent and ongoing cyberattack that knocked much of Ascension’s hospital network offline.
Cencora’s spokesperson said there is “no connection” between the incident at Cencora and the cyberattacks at Change and Ascension.
According to the public data breach notifications filed by Cencora with U.S. state authorities, which TechCrunch has seen, Cencora has so far notified about half a million individuals since learning of the data breach. The number of individuals affected by the Cencora data breach is expected to be far higher. Cencora says on its website that it has served at least 18 million patients to date.
Cencora said it published a notice on its website explaining that the company “does not have address information to provide direct notice” for some individuals affected by the data breach.
Spokespeople for the affected drug makers Abbvie, Acadia, Bayer, and Regeneron did not return a request for comment from TechCrunch.
Novartis spokesperson Michael Meo confirmed Novartis was “recently made aware of a cyber incident involving the patient services businesses Cencora and its affiliate, Innomar Strategies in Canada, which have both provided services for Novartis,” but declined to comment further or say how many Novartis patients are affected by the data breach. The spokesperson declined to say whether Cencora has told Novartis how many of its patients are affected.
Cencora made $262 billion in revenue during 2023, up 10% on the previous year, according to its latest financials. The company does not say how much it spends on cybersecurity.
To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
-
Entertainment6 days ago
Teen AI companion: How to keep your child safe
-
Entertainment6 days ago
‘Wallace and Gromit: Vengeance Most Fowl’ review: A delightful romp with an anti-AI streak
-
Entertainment5 days ago
‘Dragon Age: The Veilguard’ review: BioWare made a good game again
-
Entertainment5 days ago
Polling 101: Weighting, probability panels, recall votes, and reaching people by mail
-
Entertainment4 days ago
‘Only Murders in the Building’ Season 4 ending explained: Who killed Sazz and why?
-
Entertainment4 days ago
5 Dyson Supersonic dupes worth the hype in 2024
-
Entertainment3 days ago
When will we have 2024 election results online?
-
Entertainment3 days ago
Social media drives toxic fandom. Is there a solution?