A cyberattack on U.S. pharmaceutical solutions company Cencora in February has led to nearly a dozen pharmaceutical firms disclosing their own data breaches.
On February 21, Cencora detected unauthorized activity on its systems and confirmed that data had been exfiltrated. Despite this, the company maintained that the incident did not significantly impact its operations.
“As of the date of this filing, the incident has not had a material impact on the company’s operations, and its information systems continue to be operational,” Cencora stated in a February 28 breach notification. “The company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operations.”
In the wake of this breach, 11 pharmaceutical companies that partner with Cencora have reported their own data breaches. These companies include:
- Bayer Corporation – Renowned for pioneering aspirin.
- Novartis Pharmaceuticals – One of the largest pharmaceutical companies globally.
- Regeneron Pharmaceuticals, Inc. – Known for treatments in ophthalmology, oncology, and immunology.
- AbbVie Inc. – Creator of Humira, a treatment for rheumatoid arthritis.
- Incyte Corporation – Developer of Jakafi, a drug for treating myelofibrosis.
- Genentech, Inc. – Biotech leader in cancer treatment.
- Sumitomo Pharma America, Inc. – Specializes in neurology, oncology, and psychiatry.
- GlaxoSmithKline Group – Global provider of vaccines, pharmaceuticals, and consumer healthcare.
- Acadia Pharmaceuticals Inc. – Focuses on central nervous system disorders.
- Endo Pharmaceuticals Inc. – Develops medications for urology, endocrinology, and pain management.
- Dendreon Pharmaceuticals LLC – Specializes in oncology and immunotherapy for prostate cancer.
Data breach notifications published by the California Attorney General’s office from these companies indicated that the Cencora incident was the catalyst for their breaches. The 11 companies issued similar breach notifications, with significant input from Cencora affiliate Lash Group, which informed them of the incident on April 18.
“Based on our investigation, personal information was affected, including potentially your first name, last name, address, date of birth, health diagnosis, and/or medications and prescriptions,” reads the Bayer notification. “There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this to you so that you can take the steps outlined below to protect yourself.”
This series of breaches underscores the interconnected nature of data security within the pharmaceutical industry and highlights the ripple effect a single cyberattack can have on multiple organizations. As investigations continue, affected companies are taking steps to secure their systems and protect the personal information of their clients.