DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More than 540,000 patients notified so far about Cencora/Lash Group data breach (9)

Posted on May 24, 2024June 21, 2024 by Dissent

– Only partial numbers so far 

– Only partial list of clients so far

– No group has as yet claimed responsibility for the hack and data exfiltration

As the week draws to a close, clients of Cencora and The Lash Group have been submitting breach notifications to state attorneys general.

DataBreaches reported in February that Cencora (formerly AmerisourceBergen/Lash Group) had filed notice of a cybersecurity incident with the Securities and Exchange Commission:

On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.

As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

Lash Group’s Substitute Notice

The Lash Group partners with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to therapies through drug distribution, patient support and services, business analytics and technology, and other services. Their substitute notice explains that based on their investigation, personal information including personal health information was affected, “including potentially first name, last name, date of birth, health diagnosis, and/or medications and prescriptions.” They add:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

DataBreaches emailed Lash Group to ask, “Does Lash Group have any evidence or reason to believe that the information will NOT be publicly disclosed or misused? Did Lash Group or Cencora pay any ransom or extortion to try to protect the patient data?” Other questions requested the number of clients affected by this incident and whether Lash Group would disclose what threat actor or group was responsible for the attack.

There has been no reply by publication and no group has as yet publicly claimed responsibility for the attack.

Separately, and as reported by Reuters, Cencora’s unit, AmerisourceBergen Specialty Group said the stolen information was in connection with a prescription supply program offered by its now-defunct subsidiary, Medical Initiatives Inc.

What we know so far

As of today, DataBreaches has identified 15 clients of Cencaro/Lash Group that have already made notification to state attorneys general. Here are the clients identified so far with their partial numbers:

  • Abbott: 461 Texans + 10 Montanans
  • AbbVie: 54,344 Texans + 1087 Montanans
  • Acadia Pharmaceuticals: 753 Texans + 124 New Hampshire residents + 95 Montanans
  • Acrotech Biopharma: no numbers available
  • Alexion Pharmaceuticals: 2 New Hampshire + 4 Montanans
  • Alkermes: + 9 Montanans
  • Amgen: 92,253 Texans + 5422 Montanans
  • AstraZeneca: 1 New Hampshire resident + 1 Montanans
  • Bausch & Lomb: 638 Texans + 5 Montanans
  • Bausch Health Companies Inc: 564 Texans + 8 Montanans
  • Bayer: 8,822 Texans + 398 Montanans
  • Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire + 8388 Montanans
  • CareDx: no numbers available
  • Clovis Oncology: no numbers available
  • Dendreon: 2,923 Texans + 190 Montanans
  • Endo: 6 Montanans
  • Genentech: 5,805 Texans and 324 New Hampshire residents + 98 Montanans
  • GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: 5145 Montanans
  • Grifols: 31 New Hampshire residents + 38 Montanans
  • Heron Therapeutics: 2,081 Texans + 52 Montanans
  • Incyte Corporation: 2,592 Texans + 119 Montanans
  • Johnson Patient Assistance Foundation: 140,865 Texans + 5494 Montanans
  • Johnson & Johnson Services: 34,335 Texans + 1528 Montanans
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire + 12 Montanans
  • Novartis Pharmaceuticals: 12,134 Texans + 383 Montanans
  • Otsuka America: 3,897 Texans + 69 Montanans
  • Pfizer: 8707 Texans
  • Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire + 13 Montanans
  • Purdue Pharma: 9 New Hampshire residents affected
  • Rayner Surgical: 2,063 Texans + 3 Montanans
  • Regeneron Pharmaceuticals: 91,514 Texans, 6,553 New Hampshire residents + 3767 Montanans
  • Sandoz, Inc.: 726 Texans + 9 Montanans
  • Sanofi US Services Inc.: 183,392 Texans + 6009 Montanans
  • Smith & Nephew: 25 New Hampshire residents + 1 Montanan
  • Stemline Therapeutics, Inc: 1 Montanan
  • Sumitomo Pharma America, Inc.: 24,102 Texans, 219 New Hampshire + 401 Montanans
  • Takeda Pharmaceuticals: 7,886 Texans + 91 Montanans
  • Tolmar: 1 New Hampshire resident + 3Montanans
  • (AmerisourceBergen Specialty Group, LLC (“ABSG”): + 3 Montanans

In addition to the above, DataBreaches found 15 submissions to the Massachusetts Attorney General’s Office on behalf of clients, but the notification letters did not reveal the names of the client. Of the 15 entries, one was for 30,485 and one was for 36,626. All told, 70,516 Massachusetts residents were notified by Lash Group on behalf of clients.

With only partial numbers from some clients available, there are already 542,062 patients affected. When full numbers are revealed, the grand total for this incident will likely be significantly higher. (See UPDATES below)

Updated to include that stolen data was in connection with a prescription supply program offered by Cencora’s now-defunct subsidiary, Medical Initiatives Inc. and to correct that it was 15 entities already identified, not 14. 

Correction: A previous version of this post inadvertently named one entity as Genetech instead of Genentech.

Updates:  The partial total is now  1,066,071 for 37 entities.

We will no longer be updating this page with totals.

 

Category: BlogHackHealth DataOf NoteSubcontractorU.S.

Post navigation

← American Clinical Solutions: Over 400,000 Medical Records in the Hands of RansomHub
Ca: New online breach reporting forms for federal institutions and businesses →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
  • Former Sussex Police officer facing trial for rape charged with 18 further offences relating to computer misuse
  • Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy
  • Fresno County fell victim to $1.6M phishing scam in 2020. One suspected has been arrested, another has been indicted.
  • Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
  • Anne Arundel ransomware attack compromised confidential health data, county says
  • Australian national known as “DR32” sentenced in U.S. federal court
  • Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices
  • Japan enacts new Active Cyberdefense Law allowing for offensive cyber operations
  • Breachforums Boss “Pompompurin” to Pay $700k in Healthcare Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Massachusetts Senate Committee Approves Robust Comprehensive Privacy Law
  • Montana Becomes First State to Close the Law Enforcement Data Broker Loophole
  • Privacy enforcement under Andrew Ferguson’s FTC
  • “We would be less confidential than Google” – Proton threatens to quit Switzerland over new surveillance law
  • CFPB Quietly Kills Rule to Shield Americans From Data Brokers
  • South Korea fines Temu for data protection violations
  • The BR Privacy & Security Download: May 2025

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report