– Only partial numbers so far
– Only partial list of clients so far
– No group has as yet claimed responsibility for the hack and data exfiltration
As the week draws to a close, clients of Cencora and The Lash Group have been submitting breach notifications to state attorneys general.
DataBreaches reported in February that Cencora (formerly AmerisourceBergen/Lash Group) had filed notice of a cybersecurity incident with the Securities and Exchange Commission:
On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.
As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
Lash Group’s Substitute Notice
The Lash Group partners with pharmaceutical companies, pharmacies, and healthcare providers to facilitate access to therapies through drug distribution, patient support and services, business analytics and technology, and other services. Their substitute notice explains that based on their investigation, personal information including personal health information was affected, “including potentially first name, last name, date of birth, health diagnosis, and/or medications and prescriptions.” They add:
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”
DataBreaches emailed Lash Group to ask, “Does Lash Group have any evidence or reason to believe that the information will NOT be publicly disclosed or misused? Did Lash Group or Cencora pay any ransom or extortion to try to protect the patient data?” Other questions requested the number of clients affected by this incident and whether Lash Group would disclose what threat actor or group was responsible for the attack.
There has been no reply by publication and no group has as yet publicly claimed responsibility for the attack.
Separately, and as reported by Reuters, Cencora’s unit, AmerisourceBergen Specialty Group said the stolen information was in connection with a prescription supply program offered by its now-defunct subsidiary, Medical Initiatives Inc.
What we know so far
As of today, DataBreaches has identified 15 clients of Cencaro/Lash Group that have already made notification to state attorneys general. Here are the clients identified so far with their partial numbers:
- Abbott: 461 Texans + 10 Montanans
- AbbVie: 54,344 Texans + 1087 Montanans
- Acadia Pharmaceuticals: 753 Texans + 124 New Hampshire residents + 95 Montanans
- Acrotech Biopharma: no numbers available
- Alexion Pharmaceuticals: 2 New Hampshire + 4 Montanans
- Alkermes: + 9 Montanans
- Amgen: 92,253 Texans + 5422 Montanans
- AstraZeneca: 1 New Hampshire resident + 1 Montanans
- Bausch & Lomb: 638 Texans + 5 Montanans
- Bausch Health Companies Inc: 564 Texans + 8 Montanans
- Bayer: 8,822 Texans + 398 Montanans
- Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire + 8388 Montanans
- CareDx: no numbers available
- Clovis Oncology: no numbers available
- Dendreon: 2,923 Texans + 190 Montanans
- Endo: 6 Montanans
- Genentech: 5,805 Texans and 324 New Hampshire residents + 98 Montanans
- GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: 5145 Montanans
- Grifols: 31 New Hampshire residents + 38 Montanans
- Heron Therapeutics: 2,081 Texans + 52 Montanans
- Incyte Corporation: 2,592 Texans + 119 Montanans
- Johnson Patient Assistance Foundation: 140,865 Texans + 5494 Montanans
- Johnson & Johnson Services: 34,335 Texans + 1528 Montanans
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire + 12 Montanans
- Novartis Pharmaceuticals: 12,134 Texans + 383 Montanans
- Otsuka America: 3,897 Texans + 69 Montanans
- Pfizer: 8707 Texans
- Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire + 13 Montanans
- Purdue Pharma: 9 New Hampshire residents affected
- Rayner Surgical: 2,063 Texans + 3 Montanans
- Regeneron Pharmaceuticals: 91,514 Texans, 6,553 New Hampshire residents + 3767 Montanans
- Sandoz, Inc.: 726 Texans + 9 Montanans
- Sanofi US Services Inc.: 183,392 Texans + 6009 Montanans
- Smith & Nephew: 25 New Hampshire residents + 1 Montanan
- Stemline Therapeutics, Inc: 1 Montanan
- Sumitomo Pharma America, Inc.: 24,102 Texans, 219 New Hampshire + 401 Montanans
- Takeda Pharmaceuticals: 7,886 Texans + 91 Montanans
- Tolmar: 1 New Hampshire resident + 3Montanans
- (AmerisourceBergen Specialty Group, LLC (“ABSG”): + 3 Montanans
In addition to the above, DataBreaches found 15 submissions to the Massachusetts Attorney General’s Office on behalf of clients, but the notification letters did not reveal the names of the client. Of the 15 entries, one was for 30,485 and one was for 36,626. All told, 70,516 Massachusetts residents were notified by Lash Group on behalf of clients.
With only partial numbers from some clients available, there are already 542,062 patients affected. When full numbers are revealed, the grand total for this incident will likely be significantly higher. (See UPDATES below)
Updated to include that stolen data was in connection with a prescription supply program offered by Cencora’s now-defunct subsidiary, Medical Initiatives Inc. and to correct that it was 15 entities already identified, not 14.
Correction: A previous version of this post inadvertently named one entity as Genetech instead of Genentech.
Updates: The partial total is now 1,066,071 for 37 entities.
We will no longer be updating this page with totals.