Cencora, formerly known as AmerisourceBergen until 2023, has notified over a million individuals across the U.S. about a data breach that compromised their personal and protected health information earlier this year. The breach, which occurred in February, affected data obtained through Cencora’s partnerships with major pharmaceutical companies including AbbVie, Bayer, Pfizer, and Regeneron.
The compromised information includes patient names, postal addresses, dates of birth, as well as details about their health diagnoses, medications, and prescriptions. Despite the significant impact, Cencora has not disclosed whether the breach resulted from malicious hacking or an internal security lapse. The company has also not provided specific details on the total number of individuals notified.
Cencora has informed at least 1.43 million individuals about the breach. This analysis included data from state attorneys general in Delaware, Iowa, Massachusetts, Montana, New Hampshire, Texas, and Washington, which require companies to disclose the number of affected residents. Texas had the highest notification count, with 1.05 million individuals reported.
Cencora’s most recent breach notification, issued in mid-July, suggests the company is still in the process of notifying affected individuals. The total number of people impacted by the breach could be even higher, as Cencora admitted it could not reach everyone due to outdated address information.
Cencora serves approximately 18 million patients, according to its earlier statements. Although a precise figure for those notified is not provided, the breach is one of the largest health-related data compromises of 2024, according to the U.S. Department of Health and Human Services (HHS).
For comparison, Kaiser Permanente recently notified over 13.4 million individuals about a breach involving personal and health information shared with advertisers. Sav-Rx reported a breach affecting 2.8 million people, and WebTPA disclosed a breach involving 2.5 million individuals’ insurance information and Social Security numbers.
The February ransomware attack on Change Healthcare, a subsidiary of UnitedHealth, is believed to be one of the largest health-related data breaches in U.S. history, potentially affecting at least 100 million U.S. residents. Cencora has clarified that its breach is unrelated to the Change Healthcare attack.