Cencora, a major pharmaceutical company in the U.S., recently announced that it experienced a cyberattack and data breach earlier this year. The company is now notifying affected individuals that their personal and highly sensitive medical information was stolen during the attack. The compromised data includes patient names, postal addresses, dates of birth, health diagnoses, and medication information.
The company revealed that it initially obtained patients’ data through partnerships with drug makers as part of its patient support programs. Some of the companies involved include Abbvie, Acadia, Bayer, Novartis, and Regeneron. However, Cencora has not disclosed the nature of the cyberattack, which started on February 21 and was only made public a week later when the company filed notice with government regulators.
Cencora has not provided specific details regarding the number of individuals affected by the breach or the number of individuals notified so far. This lack of transparency raises concerns about the scale of the incident and the potential impact on patients. The company’s spokesperson, Mike Iorfino, declined to comment on these matters.
Unfortunately, this cyberattack on Cencora is not an isolated incident in the healthcare sector. In recent months, there have been several high-profile cyberattacks targeting healthcare organizations. For example, UnitedHealth-owned Change Healthcare experienced a massive data breach and lasting outages, while Ascension’s hospital network has been under an ongoing cyberattack. However, Cencora maintains that there is no connection between these incidents.
According to public data breach notifications filed by Cencora with state authorities, approximately half a million individuals have been notified about the breach so far. However, considering that Cencora claims to have served at least 18 million patients to date, it is expected that the number of affected individuals is much higher.
One challenge faced by Cencora is that it does not have address information for all affected individuals, making direct notification difficult. As a result, the company published a notice on its website to inform individuals about the breach. It remains to be seen how effective this method will be in reaching all affected patients.
TechCrunch reached out to the drug makers involved, including Abbvie, Acadia, Bayer, and Regeneron, but did not receive any comments. Novartis, however, confirmed that it was made aware of the cyber incident involving Cencora and its affiliate, Innomar Strategies in Canada. Although Novartis did not provide further details or specify the number of affected patients, it is clear that the company is directly impacted by the breach.
It is concerning that Cencora has not disclosed the number of affected individuals or the amount of money it spends on cybersecurity. Given that the company made $262 billion in revenue in 2023, an increase of 10% from the previous year, it is crucial for Cencora to prioritize investment in robust cybersecurity measures to protect patient data and prevent future breaches.
In conclusion, the cyberattack and data breach at Cencora highlight the ongoing challenges faced by the healthcare sector in safeguarding sensitive patient information. The lack of transparency regarding the scale of the breach and the potential impact on patients raises concerns about the industry’s ability to effectively protect patient data. It is imperative for healthcare organizations to prioritize cybersecurity efforts and invest in robust systems and protocols to prevent future breaches and protect patient privacy.