According to TechCrunch, Cencora has sent notifications to more than 1 million people across the U.S. that their personal and protected health information was compromised in a data breach earlier this year.
The pharmaceutical giant said in May that patient data had been compromised in the February incident, and that it had been obtained through partnerships with pharmaceutical companies that work with it on a patient support program called Senko. Some of those companies include AbbVie, Bayer, Pfizer, and Regeneron.
Cencora, known as AmerisourceBergen until 2023, said in a data breach notice that the compromised data included patient names, mailing addresses, dates of birth, and information about medical diagnoses, medications and prescriptions.
The pharmaceutical giant has so far refused to explain what led to the data breach, whether it was caused by malicious hackers or a security vulnerability within the organization. Cencora also declined to confirm the number of individuals who were notified of the data breach.
TechCrunch's analysis of publicly available data breach notifications found that Senko sent notifications to at least 1.43 million individuals that their data had been compromised as a result of the February incident.
Our analysis included searching data breach notifications posted on the websites of several U.S. state attorneys general, including Delaware, Iowa, Massachusetts, Montana, New Hampshire, Texas, and Washington. These states require companies affected by a data breach to publicly disclose the specific number of residents in that state. (Most data breach notifications are filed on behalf of each affected pharmaceutical company or through Xencora’s parent company, Rashy Group.) Texas had the largest number of individuals notified of the Xencora breach, with 1.05 million people notified at the time of this writing.
Senko filed its most recent data breach notification to affected individuals in mid-July, suggesting the pharmaceutical giant is still warning those whose data was compromised.
The number of people affected by the data breach is likely much higher. Cencora acknowledged in its own data breach notice that it could not notify everyone affected because it did not have up-to-date address information to send notices.
Senkora said earlier this year that it has served at least 18 million patients so far.
When reached by email Friday, Senkora spokesman Mike Iorfino did not dispute the number of individuals notified so far, but declined to provide a more precise figure or comment on the matter.
According to a list of data breaches released by the U.S. Department of Health and Human Services (HHS), this data breach affected 1.42 million people, making it the largest health-related information breach to date in 2024.
According to HHS’s 2024 cumulative tally, health insurance giant Kaiser notified more than 13.4 million people after accidentally sharing patients’ personal and health information with advertisers, prescription drug management company Sav-Rx notified 2.8 million people that their health information was stolen in a previous cyberattack, and health benefits management agency WebPTA notified 2.5 million people that cybercriminals had their insurance information and Social Security numbers stolen.
While the number of individuals affected has not yet been disclosed, the February ransomware attack on UnitedHealth’s health technology subsidiary Change Healthcare is likely to go down as one of the largest health-related data breaches in U.S. history, affecting “a significant portion of the American population,” possibly as many as 100 million U.S. residents.
Cencora said its data breach was “not related” to the ransomware attack and data breach at Change Healthcare.
