AmerisourceBergen MWI Animal Health hit by Lorenz; Company investigating

Posted on by Dissent

The Lorenz ransomware group has added AmerisourceBergen/MWI Animal Health to their leak site with what teasingly appears to be a lot of data, except there is no key to unlock the leaked files. Those who want the key will have to contact Lorenz and buy the key.

Listing on Lorenz shows icons for 16 parts of a data leak.
Listing on Lorenz’s leak site indicates a data leak for sale although it does not name a price. It also provides a listing of files that appear linked to the animal health subsidiary. Image: DataBreaches.net.

Lorenz did provide a file list as a sample, but the filenames in the list suggest that the files are personnel-related and internal files related to the MWI Animal Health subsidiary.  AmerisourceBergen functions as a business associate under HIPAA, but this attack may be limited to the animal health division. Consistent with that,  AmerisourceBergen’s statement to DataBreaches suggests that the attack was of one subsidiary.

DataBreaches sent an email inquiry to AmerisourceBergen to ask if (human) patient data was accessed or acquired, and whether the attack occurred November 1 (because that date shows up on Lorenz’s listing).  DataBreaches also asked what regulators have been notified, and whether any files had been locked.

In response, Lauren Esposito Vice President, External & Executive Communications, provided the following statement which they say addresses the questions posed:

AmerisourceBergen’s internal investigation quickly identified that a subsidiary’s IT system was compromised. We immediately engaged the appropriate  teams to limit the intrusion, contained the disruption and took precautionary measures to ensure all systems were and are now clear of any intrusions. This was an isolated incident and we are in the process of investigating to determine whether any sensitive data was compromised. We take our responsibility to protect data very seriously and continue to secure and strengthen our networks to prevent any future issues.

Clearly, the statement does not address the question about November 1, it does not address the question about whether any files were locked, and it does not answer the question about what regulators may have been notified already.  The only thing it comes close to addressing is whether any patient data was involved, and that seems to be under investigation.

DataBreaches will update this post if additional information becomes available.

Category: Business SectorMalwareU.S.