Pharmaceutical company Cencora has confirmed sensitive personal and health data was exfiltrated in the cyber-attack in February 2024 suffered by the firm.
In an updated filing to the US Securities and Exchange Commission (SEC) on July 31, Cencora said its investigation into the attack revealed that additional data, beyond what was initially identified, had been exfiltrated.
This included personally identifiable (PII) and protected health information (PHI) of individuals, most of which is maintained by a subsidiary company that provides patient support services.
The company said it has notified potentially impacted individuals and will provide any additional required notifications as it continues to review the exfiltrated data.
The filing did not state the number of people impacted by the breach or name the subsidiary firm.
There is currently no evidence that the data has been published or misused by the attackers.
Cencora said it believes it has contained the incident and remediation efforts are ongoing.
“The Company is working with cybersecurity experts to reinforce its systems, strengthen its surveillance of cybersecurity threats and prevent unauthorized occurrences on or conducted through its IT systems,” Cencora added.
The incident has not materially impacted company operations and its information systems remain fully operational.
Healthcare Under Attack
The Cencora breach is one of a vast number of cyber-attacks to target healthcare services in 2024, many of which have had significant impacts on patient care.
The Change Healthcare ransomware attack in February caused delays in prescription and other disruptions to patient care. The incident also exposed the personal data of millions of Americans.
A separate ransomware attack on US private healthcare provider Ascension in May led to ambulances being diverted and patient appointments postponed.
On July 31, US blood donation center OneBlood issued an urgent appeal for blood donation following a ransomware attack. The cyber-attack significantly reduced OneBlood’s capacity to collect, test and distribute blood to hospitals in Southeastern US.
In the UK, a ransomware attack on pathology provider Synnovis in June continues to severely impact NHS hospital services.
Image credit: JHVEPhoto / Shutterstock.com