Cencora & The Lash Group have agreed to pay $40 million to settle class action data breach litigation over a February 2024 data breach that affected more than 1.43 million individuals.
Cencora, Inc., formerly AmerisourceBergen, is an American drug wholesale company and a contract research organization, and The Lash Group is a pharmaceutical solutions organization. Cencora disclosed the data breach in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), stating that on February 21, 2024, the company learned that data had been exfiltrated from its information systems.
On July 31, 2024, an updated SEC filing confirmed that more data had been stolen than initially thought. At least 27 pharmaceutical companies were affected, and the stolen personal and protected health information included names, addresses, dates of birth, Social Security Numbers, health and insurance information, financial information, transactional information, consumer profile information, racial/ethnic identity, political opinions, sexual orientation/identity, criminal history, IP addresses, other electronic identifiers, biometric information, genetic information, trade union membership information, and driver’s license and passport information.
Since the breach has been reported separately by several different entities, the total number of affected individuals is not known. TechCrunch tracked breach reports submitted to state Attorneys General and reports that at least 1.43 million individuals have been notified that their data was compromised in the February security incident. Only a few states publish breach report data that includes the number of affected individuals, so the total is likely to be significantly higher than 1.43 million.
Several class action lawsuits were filed against Cencora, the Lash Group, and the affected pharmaceutical firms (see the list below). The lawsuits were consolidated in a single action – Anaya et Al. v. Cencora, Inc., et al. – in the U.S District Court for the Eastern District of Pennsylvania. The defendants were alleged to have been negligent by failing to implement reasonable and appropriate safeguards to protect sensitive data, and as a result of that negligence, sensitive data was stolen.
The defendants chose to settle the lawsuit with no admission of wrongdoing or liability and will establish a $40 million settlement fund to cover attorneys’ fees (up to $13,333,333.33), attorneys’ expenses (up to $300,000), service awards to the 28 class representatives (total $42,000), and settlement administration costs (yet to be determined).
The remainder of the settlement fund will be used to pay benefits to class members. Class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach, which were incurred on or after September 1, 2023. Claims have been capped at $5,000 per class member, and the total loss payments are capped at $5,000,000. If that total is exceeded, claims will be paid pro rata. Alternatively, class members may claim a cash fund payment, the value of which will depend on the number of valid claims received.
The dates for exclusion from and objection to the settlement will be 150 days from the date the settlement receives preliminary approval from the court. The deadline for submitting a claim will be 180 days from the date of preliminary approval, and the final approval hearing will be scheduled for 230 days after the preliminary approval date. Claims will be paid between 306 and 311 days after the preliminary approval date. Further information can be found on the settlement website, which is not yet live – cencoraincidentsettlement.com
August 2, 2024: Cencora: Additional Data Exfiltrated in February 2024 Cyberattack
On July 31, 2024, in an updated filing with the Securities and Exchange Commission (SEC), the pharmaceutical firm Cencora explained that more data was exfiltrated from its network in its February 2024 cyberattack than was initially thought, including personally identifiable information (PII) and protected health information (PHI). The majority of the additional data was maintained by one of its subsidiaries that provides patient support services.
The review of the exfiltrated data is still ongoing, and notifications will be issued to the affected individuals in due course. Cencora did not state how many individuals have been affected, the name of the subsidiary company, or the types of data that were compromised in the incident.
Three HIPAA breach reports have previously been filed with the HHS Office for Civil Rights as a result of the Cencora cyberattack, two by AmerisourceBergen Specialty Group which affected 252,214 individuals and 3,102 individuals, and one by The Lash Group, which affected 15,196 individuals. Many of the affected companies have also filed breach reports with state attorneys general, as detailed in previous reporting by the HIPAA Journal (see below).
While data has been stolen, Cencora is unaware of any actual or attempted misuse of the affected data and does not believe any of the stolen data has been published online. Cencora believes the incident has been contained; however, the remediation efforts and file review are ongoing. Cencora has engaged cybersecurity experts to assist with reinforcing cybersecurity measures and strengthening cyber threat monitoring.
May 27, 2024: 2 Dozen Pharmaceutical Companies Affected by Cencora Cyberattack
Cencora, Inc. (formerly AmerisourceBergen), and its Lash Group affiliate have been affected by a cyberattack. Cencora announced the attack in a February 2024 filing with the Securities and Exchange Commission (SEC); however, at that point, the extent of the data breach had yet to be determined, although Cencora did confirm in the SEC filing that data was exfiltrated in the attack.
Cencora is a Conshohocken, PA-based company that partners with pharmaceutical firms, healthcare providers, and pharmacies and offers drug distribution, patient support and services, business analytics and technology, and other services. Around 20% of pharmaceutical products sold and distributed in the United States are handled by Cencora.
Last week, clients of Cencora and The Lash Group started notifying state Attorneys General about the data breach. The total number of affected clients has not yet been confirmed, but the breach is known to have affected at least 27 pharmaceutical and biotechnology companies and involved the theft of the personal data of hundreds of thousands of individuals. Based on the notifications sent to state Attorneys General so far, the following pharmaceutical and biotechnology companies have been affected:
- Abbot
- AbbVie Inc.
- Acadia Pharmaceuticals Inc.
- Acrotech Biopharma Inc.
- Amgen Inc.
- Bausch Health Companies Inc.
- Bayer Corporation
- Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
- CareDx, Inc
- Dendreon Pharmaceuticals LLC
- Endo Pharmaceuticals Inc.
- Genentech, Inc.
- GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
- Heron Therapeutics, Inc.
- Incyte Corporation
- Johnson & Johnson Services, Inc.& Johnson & Johnson Patient Assistance Foundation, Inc.
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
- Novartis Pharmaceuticals Corporation
- Otsuka America Pharmaceutical, Inc.
- Pfizer Inc.
- Pharming Healthcare, Inc.
- Rayner Surgical Inc.
- Regeneron Pharmaceuticals, Inc
- Sandoz Inc.
- Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
- Takeda Pharmaceuticals U.S.A., Inc.
- Tolmar
While State Attorneys general often publish notices of data breaches, they do not always state how many individuals have been affected, so the scale of the breach is unknown at this stage. Cencora detected the cyberattack on February 21, 2024, and took immediate action to contain the attack and prevent further unauthorized access. The forensic investigation confirmed that a threat actor had exfiltrated data from its systems, including patient data provided by its clients for its patient support programs. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. AmerisourceBergen Specialty Group has filed two separate breach reports with the Office for Civil Rights affecting 252,214 and 3,102 patients. The Lash Group has reported the breach to OCR separately as affecting 15,003 individuals
On April 10, 2024, Cencora confirmed that the stolen data included first names, last names, addresses, dates of birth, health diagnoses, and/or medications and prescriptions. Cencora’s investigation found no connection with other major healthcare cyberattacks such as the attacks on Change Healthcare and Ascension; and at the time of issuing notifications, Cencora/LashGroup said they were unaware of any actual or attempted misuse of the stolen data and had not detected any public disclosure of the stolen data. While data misuse has not been identified, the affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost. Steps have also been taken to harden defenses to prevent similar security breaches in the future. At the time of publication, no cybercriminal group appears to have claimed responsibility for the attack.
The post Cencora & The Lash Group Settle Data Breach Litigation for $40 Million appeared first on The HIPAA Journal.
1. Essential Functionality
Free Buyer’s Guide
At smaller organizations with under 100 employees, responsibility for 
What other features should you consider for your HIPAA compliance solution?
