Recently, the Lash Group, a division of Cencora (formerly AmerisourceBergen), disclosed a data breach that exposed tens of thousands of consumers' sensitive information.
What happened
The Lash Group discovered that an unauthorized party accessed and exfiltrated confidential information from its network. The data breach was identified on February 21, 2024, and involved sensitive patient data, including names, birth dates, health diagnoses, and medications.
Affected individuals were those enrolled in patient support programs through major pharmaceutical companies such as Regeneron, AbbVie, Genentech, and GlaxoSmithKline. Lash Group began notifying affected individuals on April 10, 2024.
Going deeper
The Lash Group, established in 1986, is a division of Cencora (formerly known as AmerisourceBergen Corporation). It is headquartered in Fort Mill, South Carolina, and specializes in running patient support programs for pharmaceutical companies. These programs ensure that costly medications are accessible to qualifying patients, regardless of their ability to pay.
What was said
The Lash Group’s Notice of Data Security Incident states, "There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”
The statement also states that individuals should “be assured that we are also working with cybersecurity experts to reinforce our systems and information security protocols in an effort to prevent incidents like this from occurring in the future.”
Furthermore, Lash Group will offer affected individuals “access to Experian IdentityWorksSM credit monitoring and remediation services for 24 months at no charge.”
By the numbers
The Lash Group currently operates over 100 patient support programs and has served more than 15 million patients. It generates approximately $845 million in annual revenue, with over 4,000 employees facilitating patient access to necessary medications and treatments.
Furthermore, the data incident was discovered on February 21, 2024, while affected individuals were notified by April 10, 2024.
Why it matters
Patients affected by this breach may face risks of identity theft and fraud. Victims should monitor their financial and medical records for suspicious activity by using the credit monitoring and identity theft remediation services provided.
Related: HIPAA Compliant Email: The Definitive Guide
