Cencora Confirms Personal and Health Information Theft

Threat Actor: Dark Angels | Dark Angels
Victim: Cencora | Cencora
Price: $75 million
Exfiltrated Data Type: Personally Identifiable Information (PII) and Protected Health Information (PHI)

Key Points :

  • Cencora confirmed the theft of personal and health information following a cyberattack in February 2024.
  • The company reported the breach to the Securities and Exchange Commission (SEC) on February 21, 2024.
  • The exfiltrated data includes PII and PHI, primarily maintained by a subsidiary providing patient support services.
  • Cencora has taken containment steps and is working with law enforcement and cybersecurity experts.
  • The incident has not materially impacted the company’s operations, and its information systems remain operational.
  • The ransomware attack may have involved a record-breaking ransom payment of $75 million, although no group claimed responsibility.
  • Cencora has not disclosed the number of impacted individuals but has notified affected parties and regulatory agencies.

Pharma company Cencora confirmed the theft of personal and health information following the February 2024 data breach.

Pharmaceutical giant Cencora confirmed that the threat actors had access to personally identifiable information (PII) and protected health information (PHI) following the February 2024 cyberattack.

On February 21, Cencora announced a data breach in a filing with the Securities and Exchange Commission (SEC). At the time, the company announced that it was investigating the scope of the security breach to determine the type of data that has been infiltrated. 

“On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information.” reads the Form 8-K filed with SEC. “Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel. As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational.”

In a new filing with the Securities and Exchange Commission (SEC), the company reported that the amount of exfiltrated data is greater than what was initially identified.

The Pharma giant announced it had reviewed most of the exfiltrated data and confirmed that it included personally identifiable information and protected health information of individuals. Most of the compromised data is maintained by a company subsidiary that provides patient support services.

“Through that investigation, the Company learned that additional data, beyond what was initially identified, had been exfiltrated. The Company has identified and completed its review of most of the exfiltrated data (the “Data”). This review has confirmed that the Data included personally identifiable information (“PII”) and protected health information (“PHI”) of individuals, most of which is maintained by a Company subsidiary that provides patient support services.” reads the new filing. “For PII and PHI discovered in the Data to date, the Company has provided required notifications to potentially affected parties and individuals as well as regulatory agencies. The Company continues to review the Data and it intends to provide any additional required notifications to affected and potentially affected parties and appropriate regulatory agencies. The Company has no evidence that any of the Data has been or will be publicly disclosed.”

The company announced it had fully contained the incident and notified impacted individuals and regulatory agencies. Cencora has yet to reveal the number of impacted individuals and the family of ransomware that infected its systems.

In May, Cencora subsidiary Lash Group announced that a security incident impacted individuals’ personal information.

“Lash Group’s parent company previously disclosed that data from its information systems had been exfiltrated, some of which could contain personal information. Upon initial detection of the unauthorized activity, we immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and outside lawyers. Lash Group has now confirmed that individuals’ personal information was affected by the incident. For some individuals, Lash Group does not have address information to provide direct notice. Accordingly, Lash Group is posting this notice on its website.” reads the statement published by Lash Group.

Based on our investigation, personal information including personal health information was affected, including potentially first name, last name, date of birth, health diagnosis, and/or medications and prescriptions.”

This week, Zscaler announced the discovery of a record-breaking ransom payment of US$75 million made by a company to the Dark Angels ransomware group. Zscaler did not name the company that paid the $75 million ransom following an attack that occurred in early 2024.

This is the largest ransomware payment by a company in history.

Bleeping Computer speculates that in February 2024, the Fortune 50 company Cencora suffered a ransomware attack, however, no ransomware group claimed responsibility for the incident, potentially indicating that the victim paid the ransom.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)