US wholesale drug distributor Cencora has revealed that the attackers responsible for a February data breach took more personal health information. The breach has since impacted at least 38 other healthcare companies, including Bayer, Johnson & Johnson, and Pfizer.
The Pennsylvania-based company filed an amended 8K with the US Securities and Exchange Commission (SEC) on Wednesday, stating that based on its investigation, “the Company learned that additional data, beyond what was initially identified, had been exfiltrated.”
Over 852,000 patient records had been exposed in the original February 21st breach – which was reported to the SEC six days later.
The drug distributor did not say what additional health information had been taken from the company in the amended filing, except to say it has “completed its review” of most of the stolen data “which is maintained by a Company subsidiary that provides patient support services,” known as the Lash Group.
According to its website, the Lash Group partners with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to therapies through drug distribution, patient support and services, business analytics and technology, and other services.
At the time, Cencora said personally identifiable information (PII), including personal health information (PHI) had included:
- first and last name
- address
- date of birth
- health diagnosis
- medications and prescriptions
Dozens more companies impacted
From mid-May through July, 38 other major drug manufacturers and healthcare entities that partner with Cencora and the Lash Group filed disclosure notifications stating they were also impacted by the February breach.
The number of additional patient health records exposed in those breaches total about 900,000.
Big manufacturing names with the largest number of sensitive records exposed include Bristol Meyers Squibb (256,000), Johnson & Johnson (175,000), Sanofi US Services (183,000), and Regeneron Pharmaceuticals (91,000).
Pfizer, Astra-Zeneca, Bausch & Lomb, Novartis, and Bayer have also reported thousands exposed from the third party hack.
Cencora said it has notified affected parties and individuals, and will continue to so if necessary.
And, although the Company said it has no evidence that any of the “'Data' has been or will be publicly disclosed,” it can not be certain and has provided a reference guide on its website for victims whose PII and PHI were compromised.
With a 2023 annual revenue of $262 billion, the drug distributor "believes it has contained the incident, and has undertaken remediation efforts, which are ongoing,” it said.
Formally known as AmerisourceBergen, Cencora changed its name in 2023. The Lash Group is still listed as part of the AmerisourceBergen network of companies.
Your email address will not be published. Required fields are markedmarked