US drug maker Cencora says Americans’ health information stolen in data breach

U.S. drug maker Cencora says it is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year. 

In letters to affected individuals sent out this week, Cencora said that the data from its systems includes patient names, their postal address and date of birth, as well as information about their health diagnosis and medications.

The pharmaceutical giant said it had initially obtained patients’ data through partnerships with other drug makers “in connection with its patient support programs.” That includes patients of Abbvie, Acadia, Bayer, Novartis, Regeneron, and other companies.

Cencora has not yet described the nature of the cyberattack, which began on February 21 and was not publicly disclosed until the company filed notice with government regulators a week later on February 27. The company, known as AmerisourceBergen until 2023, handles around 20% of the pharmaceuticals sold and distributed throughout the United States.

Cencora spokesperson Mike Iorfino told TechCrunch in an email that Cencora was unwilling to say if the company has determined how many individuals are affected by the breach, and how many individuals the company has notified to date.

This is the latest security incident to hit the U.S. healthcare sector following a spate of cyberattacks in recent months, following the huge data breach and lasting outages at UnitedHealth-owned Change Healthcare and the recent and ongoing cyberattack that knocked much of Ascension’s hospital network offline.

Cencora’s spokesperson said there is “no connection” between the incident at Cencora and the cyberattacks at Change and Ascension.

According to the public data breach notifications filed by Cencora with U.S. state authorities, which TechCrunch has seen, Cencora has so far notified about half a million individuals since learning of the data breach. The number of individuals affected by the Cencora data breach is expected to be far higher. Cencora says on its website that it has served at least 18 million patients to date.

Cencora said it published a notice on its website explaining that the company “does not have address information to provide direct notice” for some individuals affected by the data breach.

Spokespeople for the affected drug makers Abbvie, Acadia, Bayer, and Regeneron did not return a request for comment from TechCrunch. 

Novartis spokesperson Michael Meo confirmed Novartis was “recently made aware of a cyber incident involving the patient services companies Cencora and its affiliate, Innomar Strategies in Canada, which have both provided services for Novartis,” but declined to comment further or say how many Novartis patients are affected by the data breach. The spokesperson declined to say whether Cencora has told Novartis how many of its patients are affected.

Cencora made $262 billion in revenue during 2023, up 10% on the previous year, according to its latest financials. The company does not say how much it spends on cybersecurity.

To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.