Pharmaceutical giant Cencora confirmed that the threat actors had access to personally identifiable information (PII) and protected health information (PHI) following the February 2024 cyberattack.
On February 21, Cencora announced a data breach in a filing with the Securities and Exchange Commission (SEC). At the time, the company announced that it was investigating the scope of the security breach to determine the type of data that has been infiltrated.
“On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information.” reads the Form 8-K filed with SEC. “Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel. As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational.”
In a new with the Securities and Exchange Commission (SEC), the company reported that the amount of exfiltrated data is greater than what was initially identified.
The Pharma giant announced it had reviewed most of the exfiltrated data and confirmed that it included personally identifiable information and protected health information of individuals. Most of the compromised data is maintained by a company subsidiary that provides patient support services.
“Through that investigation, the Company learned that additional data, beyond what was initially identified, had been exfiltrated. The Company has identified and completed its review of most of the exfiltrated data (the “Data”). This review has confirmed that the Data included personally identifiable information (“PII”) and protected health information (“PHI”) of individuals, most of which is maintained by a Company subsidiary that provides patient support services.” “For PII and PHI discovered in the Data to date, the Company has provided required notifications to potentially affected parties and individuals as well as regulatory agencies. The Company continues to review the Data and it intends to provide any additional required notifications to affected and potentially affected parties and appropriate regulatory agencies. The Company has no evidence that any of the Data has been or will be publicly disclosed.”
The company announced it had fully contained the incident and notified impacted individuals and regulatory agencies. Cencora has yet to reveal the number of impacted individuals and the family of ransomware that infected its systems.
In May, Cencora subsidiary Lash Group announced that a security incident impacted individuals’ personal information.
“Lash Group’s parent company previously disclosed that data from its information systems had been exfiltrated, some of which could contain personal information. Upon initial detection of the unauthorized activity, we immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and outside lawyers. Lash Group has now confirmed that individuals’ personal information was affected by the incident. For some individuals, Lash Group does not have address information to provide direct notice. Accordingly, Lash Group is posting this notice on its website.” reads the published by Lash Group.
“Based on our investigation, personal information including personal health information was affected, including potentially first name, last name, date of birth, health diagnosis, and/or medications and prescriptions.”
This week, Zscaler announced the discovery of a record-breaking ransom payment of US$75 million made by a company to the Dark Angels ransomware group. Zscaler did not name the company that paid the $75 million ransom following an attack that occurred in early 2024.
This is the largest ransomware payment by a company in history.
Bleeping Computer that in February 2024, the Fortune 50 company Cencora suffered a ransomware attack, however, no ransomware group claimed responsibility for the incident, potentially indicating that the victim paid the ransom.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)