US drugmaker Cenacora says Americans’ health information stolen in data breach


US pharmaceutical company Cenacora said it is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year.

In letters sent to affected individuals this week, Cenkora said the data obtained from its systems included patients’ names, mailing addresses and dates of birth, as well as information about their health diagnoses and medications.

The pharma giant said it initially acquired patient data through partnerships with drugmakers it works with in connection with their patient assistance programs, which include patients from AbbVie, Acadia, Bayer, Novartis, Regeneron and others.

Cenacora has not yet described the nature of the cyberattack, which began on Feb. 21 and was not publicly disclosed until the company filed a notice with government regulators a week later on Feb. 27. The company, known as AmerisourceBergen until 2023, handles about 20% of the pharmaceuticals sold and distributed throughout the United States.

Cenkora spokesperson Mike Iorfino told TechCrunch via email that Cenkora was not prepared to say whether the company had determined how many individuals were affected by the breach, or how many it had notified so far.

It’s the latest security incident in the U.S. healthcare sector following a string of cyberattacks in recent months, including a massive data breach and prolonged disruption at UnitedHealth-owned Change Healthcare and a recent, ongoing cyberattack that knocked much of Ascension’s hospital network offline.

A Sencora spokesperson said there was “no connection” between the Sencora incident and the cyber attacks on Change and Ascension.

According to public data breach notifications filed by Cenacora with US state authorities, which TechCrunch has seen, Cenacora has notified nearly half a million individuals since learning of the data breach. The number of individuals affected by the Cenacora data breach is expected to be far higher. Cenacora says on its website that it has served at least 18 million patients to date.

Cenkora said it has published a notice on its website explaining that the company “does not have address information to directly notify” some of the individuals affected by the data breach.

Spokespersons for the affected drugmakers, Abbvie, Acadia, Bayer, and Regeneron, did not respond to TechCrunch’s request for comment.

Novartis spokesman Michael Meo confirmed that Novartis was “recently made aware of a cyber incident involving patient services companies Cencora and its affiliate in Canada, Innomar Strategies, both of which provide services for Novartis,” but he declined to comment further or say how many Novartis patients were affected by the data breach. The spokesman declined to say whether Cencora had told Novartis how many of its patients were affected.

Cenkora projects revenue of $262 billion during 2023, up 10% from the previous year, according to its latest financial statements. The company does not disclose how much it spends on cybersecurity.

Updated at 10:15 a.m. to revise the headline.

To contact this reporter, please contact us on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.


Please enter your comment!
Please enter your name here

Share post:




More like this

Spotify tips for those who like to listen to full albums

I wish there were more options here. For example,...

What are Google’s AI overviews for?

Google is facing criticism due to some incorrect, funny...

Nothing Phone 2a expected to get new colourways; could come in red, yellow colour options

The Nothing Phone 2a was launched globally and in...