Breach Notification , Fraud Management & Cybercrime , Healthcare
Pharma Company to SEC: More Data Was Stolen in February Hack
Cencora Updates 8-K Filing to Reflect the Results of Its Breach InvestigationPharmaceutical maker Cencora - formerly AmerisourceBergen - in an updated filing this week told the U.S. Securities and Exchange Commission that a Feb. 21 cyberattack resulted in the theft of more data than previously reported - including personal and health information.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
Five months ago, Cencora told the SEC in an 8K filing that it had discovered a cyber incident involving the exfiltration of some data potentially containing personal information (see: Breach Roundup: White House Calls for Memory Safe Languages).
But in an amended 8K filing on Wednesday, the company said its investigation found "that additional data, beyond what was initially identified, had been exfiltrated."
Cencora's amended notice comes amid several breach reports that Cencora subsidiaries and clients have filed to other federal and state regulators in recent months related to the hack, indicating the compromise potentially affected hundreds of thousands of individuals - and possibly many more in light of the company's update.
At least three breach reports filed in May and June to the U.S. Department of Health and Human Services by two of Cencora's businesses, AmerisourceBergen Specialty Group and Lash Group, indicated that the incident affected nearly 271,000 people.
But that's not the full extent of the impact of the Cencora breach. At least two dozen pharmaceutical and biotechnology firms, including Bristol Myers Squibb Co., Johnson & Johnson and Sanofi US Services - in recent months have filed breach reports to various state attorneys general offices, saying their data was affected by the Cencora hacking incident, according to DataBreaches.net.
In its most recent SEC filing, Cencora said that when it detected unauthorized activity in its information systems, the company "immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel."
The review of data affected by the incident confirmed that the breach affected personal identifiable information and protected health information, most of which is maintained by a Cencora subsidiary that provides patient support services. The SEC filing did not identify the subsidiary.
"The company continues to review the data, and it intends to provide any additional required notifications to affected and potentially affected parties and appropriate regulatory agencies," Cencora said in the updated SEC filing, adding that it has no evidence that any of the information has been or will be publicly disclosed.
"As part of its remediation efforts, the company is working with cybersecurity experts to reinforce its systems, strengthen its surveillance of cybersecurity threats and prevent unauthorized occurrences on or conducted through its IT systems," Cencora told the SEC.
The incident has not had a material impact on Cencora's operations, and its information systems have continued to be fully operational, the filing says. "The company does not believe the incident is reasonably likely to materially impact the company’s financial condition or results of operations."
Cencora did not immediately respond to Information Security Media Group's request for additional details about the hacking incident, including an updated total number of clients and individuals affected.