Pharmaceutical giant Cencora, formerly known as AmerisourceBergen, has confirmed that a February 2024 cyberattack resulted in the unauthorized access and exfiltration of protected health information (PHI) and personally identifiable information (PII).
The breach, initially discovered by Cencora’s subsidiary Lash Group, has since been revealed as more extensive than originally reported.
What happened
In February 2024, Cencora experienced a network server breach that compromised sensitive patient data, including names, addresses, dates of birth, health diagnoses, and medications.
Since then, Cencora has updated its FORM 8-K filing with the Securities and Exchange Commission (SEC), acknowledging that more data was breached than initially thought.
While the exact number of affected individuals has not been confirmed, the breach exposed data from multiple pharmaceutical and biotechnology companies including:
The backstory
Three separate breach reports have been filed with the HHS Office for Civil Rights. Two of these were filed by AmerisourceBergen Specialty Group, affecting 252,214 and 3,102 individuals, respectively, and one by The Lash Group, which affected 15,196 individuals.
Lash Group, a division of Cencora, detected the cyberattack on February 21, 2024. They then notified affected individuals on April 10, 2024, offering 24 months of free credit monitoring and identity theft remediation services.
What was said
In its updated SEC filing, Cencora states, "The company learned that additional data, beyond what was initially identified, had been exfiltrated. The company has identified and completed its review of most of the exfiltrated data."
Furthermore, the Lash Group’s notice of data security incident states, "There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident…”
Why it matters
The Cencora breach is part of a larger trend where healthcare breaches are becoming more common, as seen in other recent high-profile cases like the attacks on Change Healthcare and Ascension.
These breaches expose individuals’ PHI and PII, putting individuals at risk for long-term consequences like identity theft and fraud.
The bottom line
Affected individuals must use the credit monitoring and identity theft remediation services offered, monitoring their financial and medical records for suspicious activity.
Moreover, healthcare providers must re-evaluate their security protocols, improve their threat detection and response systems, and use advanced encryption to prevent future data breaches.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is PHI?
Protected health information (PHI) is any information that can be used to identify a patient and relates to their health status, treatment, or payment for healthcare.
What is PII?
Personally identifiable information (PII) includes any data that can be used to identify a specific individual, like names, addresses, and Social Security numbers.
What is considered a breach of PHI?
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
