According to a TechCrunch investigation, Cencora has so far notified more than 1 million people across the US that their personal and protected health information was exposed in a data breach that occurred earlier this year.
The pharmaceutical giant said in May that patient data had been exposed in the February incident. Sencora obtained the data through pharmaceutical companies it partners with in connection with its patient assistance programs, including AbbVie, Bayer, Pfizer and Regeneron.
Sencora, which was known as AmerisourceBergen until 2023, said in its data breach notice that the exposed data included patients' names, addresses and dates of birth, as well as information about medical exams, medications and prescriptions.
The pharmaceutical giant has so far refused to explain how the data breach occurred, whether it was caused by malicious hackers or a security flaw within the organization. Sencora also declined to say how many people it has notified about the breach.
A TechCrunch analysis of publicly available data breach notices found that Cencora notified at least 1.43 million individuals that their data had been compromised in the February incident.
The analysis also included a search of data breach notifications posted on the websites of several U.S. state attorneys general, including Delaware, Iowa, Massachusetts, Montana, New Hampshire, Texas and Washington. These states require companies affected by data breaches to publicly disclose the specific number of state residents notified. (Many of the data breach notifications are filed on behalf of the affected pharmaceutical companies or through Cencora's parent company, Lash Group.) Texas had the highest number of people notified about the Cencora breach, at 1.05 million at the time of writing.
Cencora provided its most recent data breach notification to affected individuals in mid-July, suggesting the pharmaceutical giant is still issuing warnings to those whose data was stolen.
The number of people affected by the data breach is likely much higher: Cencora acknowledged in its data breach notification that it couldn't notify everyone affected because it didn't have up-to-date address information to send notifications to.
Sencora said earlier this year that it had served at least 18 million patients to date.
Reached by email Friday, Sencora spokesman Mike Iorfino did not dispute the number of people notified so far but declined to provide a more precise figure or comment on the matter.
The data breach affected 1.42 million people and is already ranked as one of the largest health-related breaches to date in 2024, according to a data breach list published by the U.S. Department of Health and Human Services (HHS).
According to HHS's tally through 2024, health insurance giant Kaiser notified more than 13.4 million people that it had mistakenly provided patient personal and health information to advertisers, prescription management company Sav-Rx notified 2.8 million people that their health information had been stolen in a previous cyberattack, and health benefits management company WebPTA notified 2.5 million people that cybercriminals had stolen their insurance information and Social Security numbers.
While the number of people affected has not yet been disclosed, a February ransomware attack on UnitedHealth's medical technology subsidiary, Change Healthcare, was one of the largest health care data breaches in U.S. history and affected “a significant proportion of Americans,” possibly at least 100 million Americans.
Meanwhile, Cencora said its data breach was “unrelated” to the ransomware attack and data breach at Change Healthcare.