Over on Bleeping Computer, Lawrence Abrams reports that Cencora confirmed that protected health information was involved in the February cyberattack in its recent SEC filing,
As DataBreaches previously reported, a number of Cencora—-Lash Group’s clients disclosed that personal and protected health information (PHI) was involved when they sent out notifications to their patients in May and June. Cencora’s recent confirmation really didn’t reveal anything new about the types of information, however, as dozens of Lash Group clients had already sent out notification letters months ago that made clear that PHI was involved.
Abrams also notes speculation that Cencora paid the $75 million ransom discovered by Zscaler earlier this year. Lash Group, Cencora’s subsidiary, included a statement in its substitute notice providing some support for this hypothesis: “There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident.” Other support for the hypothesis stems from the fact that no group ever claimed responsibility for the attack and no data has ever leaked.
As previously reported, DataBreaches emailed Lash Group in May to ask, “Does Lash Group have any evidence or reason to believe that the information will NOT be publicly disclosed or misused? Did Lash Group or Cencora pay any ransom or extortion to try to protect the patient data?”
Cencora replied with a generic media statement that was non-responsive, so DataBreaches repeated the email inquiry. There was no reply. Bleeping Computer has also been able to get a reply to the question.