What Happened
Cencora, Inc. (formerly AmerisourceBergen), one of the world’s largest pharmaceutical distribution companies with over $260 billion in annual revenue, disclosed on February 27, 2024, that unauthorized parties had exfiltrated data from its corporate IT systems. The breach exposed personal and protected health information of over 1.4 million patients enrolled in pharmaceutical manufacturer patient support programs managed by Cencora’s subsidiaries.
How It Happened
Cencora disclosed that data was “exfiltrated from its information systems” but provided limited technical detail about the attack vector. The company first detected the incident on February 21, 2024, the same day as the Change Healthcare ransomware attack, though the two incidents are unrelated.
No ransomware group has publicly claimed responsibility for the Cencora breach, which is unusual for an incident of this scale. Reports indicate Cencora may have paid a $75 million ransom, which would be one of the largest known ransomware payments, though the company did not confirm this.
Exposed Data
The breach affected patients enrolled in programs operated by Cencora subsidiaries including Lash Group and AmerisourceBergen Specialty Group. Exposed data included patient names, mailing addresses, full dates of birth, medical conditions and diagnoses, and current and historical medication information.
The exposed data related to specific pharmaceutical manufacturer programs for medications treating conditions including cancer, autoimmune diseases, and rare diseases, making the health information particularly sensitive.
Affected Pharmaceutical Manufacturers
Cencora notified patients on behalf of multiple pharmaceutical companies whose patient support programs were affected, including AbbVie, Bayer, Bristol-Myers Squibb, Genentech, Novartis, Regeneron, and other manufacturers using Cencora’s patient services platform.
Timeline
Cencora detected unauthorized access to IT systems on February 21, 2024. The company filed an SEC Form 8-K disclosing the incident on February 27. Investigation determined personal and health data was exfiltrated in March and April 2024. Notification letters were sent to affected patients via partner pharmaceutical companies from May through July 2024. Multiple class-action lawsuits were filed throughout 2024.
Industry Implications
The pharmaceutical supply chain is an increasingly attractive target. Cencora handles drug distribution for approximately 20% of all pharmaceuticals sold in the US. The potential $75 million ransom payment, if confirmed, would signal that large pharmaceutical companies will pay to prevent health data publication. The breach highlights that patient support programs and specialty pharmacy services create additional data exposure beyond traditional healthcare providers. Cencora’s SEC disclosure within 6 days of detection demonstrated compliance with the new cyber incident disclosure rules.
Key Lessons
Pharmaceutical distributors and patient services companies hold sensitive health data that rivals hospitals and insurers in value. Specialty pharmacy programs aggregate health data across multiple manufacturers, creating concentrated data targets. Ransom payments remain controversial. Paying may prevent data publication but funds criminal operations and does not guarantee data destruction. Healthcare data concentration continues to increase as pharmaceutical services consolidate.