US pharmaceutical manufacturer Sencora has announced that it is notifying affected individuals of a cyberattack and data breach earlier this year, which resulted in the theft of personal information and highly sensitive medical information.
In a letter sent to affected individuals this week, Sencora said the data from its systems included patients' names, addresses and dates of birth, as well as information about medical tests and medications.
The pharmaceutical giant said it initially obtained the patient data through partnerships with other pharmaceutical companies “in connection with patient assistance programs,” including patients from companies including AbbVie, Acadia, Bayer, Novartis and Regeneron.
Sencora has yet to explain the nature of the cyberattack, which began on Feb. 21 and wasn't made public until it notified government regulators a week later on Feb. 27. The company, known as AmerisourceBergen until 2023, handles about 20% of the pharmaceutical products sold and distributed across the United States.
Cencora spokesman Mike Iorfino said in an email to TechCrunch that Cencora did not want to disclose how many individuals were affected by the breach or how many individuals it has notified so far.
It's the latest security incident to hit the U.S. healthcare sector, following a series of cyberattacks in recent months that included a major data breach and lengthy outage at UnitedHealth's Change Healthcare, as well as a recent ongoing cyberattack that took large parts of Ascension Hospital's network offline.
A Sencora spokesman said there was “no connection” between the incident at Sencora and the cyber attacks on Change and Ascension.
According to a public notice of the data breach filed by Cencora with U.S. authorities and reviewed by TechCrunch, the company has notified approximately 500,000 people since learning of the breach. The number of people affected by the Cencora data breach is likely much higher. On its website, Cencora says it has served at least 18 million patients to date.
Sencora said it had posted a notice on its website explaining that it “does not have address information to directly notify” some individuals affected by the data breach.
Spokespeople for the affected pharmaceutical companies – Abbvie, Acadia, Bayer and Regeneron – did not respond to TechCrunch's requests for comment.
Novartis spokesman Michael Meo confirmed that the company “recently became aware of a cyber incident involving patient services company Sencora and its affiliate, Innomar Strategies of Canada, both of which provide services to Novartis,” but declined to comment further or say how many Novartis patients are affected by the data breach. The spokesman declined to say whether Sencora had communicated to Novartis how many patients were affected.
Sencora's most recent financial statements show the company is on track to generate $262 billion in revenue in 2023, up 10% from the previous year. The company has not disclosed how much it is spending on cybersecurity.
You can contact this reporter on Signal and WhatsApp (+1 646-755-8849) or by email. You can also send files and documents via SecureDrop.