Cencora has notified over a million people across the U.S. that their personal and protected health information was compromised in a data breach earlier this year.
Incident and Partnerships
The pharmaceutical giant announced in May that a February incident compromised patient data, which Cencora had obtained through partnerships with drug makers for its patient support programs. These drug makers include AbbVie, Bayer, Pfizer, and Regeneron.
Details of Compromised Data
Formerly known as AmerisourceBergen until 2023, Cencora stated in its data breach notice that the compromised information includes patient names, postal addresses, dates of birth, health diagnoses, medications, and prescriptions.
Lack of Disclosure on Cause
Cencora has not disclosed the cause of the data breach, whether malicious hackers or an internal security lapse caused it. The company also refused to confirm the total number of individuals notified about the breach.
Data Analysis
Analysis of data breach notifications revealed that at least 1.43 million individuals were informed that their data was compromised in the February incident. This analysis involved searching notifications published on the websites of several U.S. state attorneys general, including Delaware, Iowa, Massachusetts, Montana, New Hampshire, Texas, and Washington. These states require companies affected by a breach to disclose the specific number of residents notified. Texas had the highest number, with 1.05 million individuals informed about the Cencora breach.
Ongoing Notifications
Cencora submitted its most recent data breach notice to affected individuals in mid-July, indicating that. The company is still alerting those whose data was compromised. The total number of affected individuals is likely much higher, as Cencora admitted it cannot notify everyone due to outdated address information.
Patient Base
Cencora reported earlier this year that it has served at least 18 million patients to date.
Data Company Response
When contacted by email, Cencora spokesperson Mike Iorfino did not dispute the number of individuals notified but declined to provide a more accurate figure or comment further.
Comparison with Other Breaches
HHS’s 2024 tally includes health insurance giant Kaiser. Which notified over 13.4 million individuals after inadvertently sharing patients’ personal. Health information with advertisers; prescription management company Sav-Rx. Which notified 2.8 million individuals of stolen health information in a cyberattack; and health benefits administrator WebTPA. Which informed 2.5 million individuals of stolen insurance information and Social Security numbers.
UnitedHealth’s Incident
This is one of the biggest health-related data breaches in the United States, taking place in February. It may have affected around 100 million residents. Which is a “significant number of people in America,” even if the exact figure is not yet known.
