Pharma giant Cencora says personal health data leaked during February cyber incident
Pharmaceutical company Cencora confirmed on Wednesday that personal health data was exfiltrated during a previously reported cyberattack in February.
The company filed new documents with regulators confirming that an investigation into the incident revealed a patient support services subsidiary was attacked, causing the exposure of personal information and protected health information. The filing does not say how many people might be affected and did not name the subsidiary.
Formerly known as AmerisourceBergen, the Pennsylvania-based corporation has 46,000 employees and reported revenue of $262.2 billion for fiscal 2023.
After discovering the leak on February 21, the company worked with law enforcement and cybersecurity experts to examine what was stolen. That investigation revealed that “additional data, beyond what was initially identified, had been exfiltrated,” Cencora said.
The company did not respond to requests for comment about the differences between what was known in February and what was discovered recently.
Cencora said it has notified victims and regulatory agencies but is still in the process of figuring out additional notifications. The filing noted that the incident did not affect the company’s operations and will not have an impact on its financial outlook this year.
Cencora did not respond to requests for comment about whether it dealt with a ransomware incident.
A report released this week from cybersecurity firm Zscaler identified a $75 million ransom payment made to the Dark Angels ransomware gang in early 2024 by a Fortune 50 company.
The payment, the largest-ever reported payout to a ransomware group, was confirmed by other researchers.
Cencora was one of the few Fortune 50 companies to report a cyber incident early this year and no ransomware gang or hacker group ever took credit for the attack – separating it from other incidents affecting the world’s biggest companies like UnitedHealth, Microsoft, AT&T and others.
In the SEC filing on Wednesday, the company said there is “no evidence that any of the Data has been or will be publicly disclosed.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.