US pharmaceutical giant Cencora has been affected by a data breach. The company is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year. This includes patient names, postal addresses, dates of birth, as well as information about their health diagnoses and medications.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What happened: A breakdown of events
Cencora has not yet described the nature of the cyberattack. However, a report claims the attack began on February 21 and was not publicly disclosed until the company filed notice with government regulators a week later on February 27.
The pharmaceutical company, known as AmerisourceBergen until 2023, handles around 20% of the pharmaceuticals sold and distributed throughout the US. It’s unclear if Cencora has determined how many individuals are affected by the breach. The company says it has identified and notified roughly half a million individuals impacted by the data breach so far. However, Cencora acknowledged that it lacks complete address information for some affected people, so it published a notice on its website to reach them.
The cyberattack on pharmaceutical giant Cencora came to light shortly after another attack that disrupted Ascension’s hospital network. However, a Cencora spokesperson says that there’s “no connection” between the unauthorized activity at Cencora and the incidents at Change Healthcare or Ascension.
HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET
Why should you care about the Cencora data breach?
Cencora is a major player in the US healthcare industry. The $250-billion firm partners with some of the largest pharmaceutical companies, including GlaxoSmithKline, Novartis, Genentech, Bayer, Regeneron, and Bristol Myers Squibb. The breach has affected at least 23 pharmaceutical and biotechnology companies, suggesting a broader impact than initially reported.
If you provided any of these companies with your data, it’s possible that the breach has exposed it to the web. The number of individuals affected by the Cencora data breach is expected to be very high. Cencora states on its website that it has served at least 18 million patients to date. It’s quite possible that the breach might have exposed the data of all these patients.
There may not be immediate harm from the data breach, but chances are your data is already in the hands of scammers on the dark web. They can use this data to scam, blackmail, and harass you. Since the data breach also leaks your address, scammers may try to scam you through the mail by asking for personal information or pretending to be a government authority.
MASSIVE FREE VPN DATA BREACH EXPOSES 360 MILLION RECORDS
The aftermath and response
Cencora completed its investigation into the breach on April 10, 2024. As part of its response, Cencora is offering 24 months of credit monitoring and remediation services to individuals whose information was involved in the incident. There is also an indication that a ransom may have been paid to prevent the leaked patient data from being released to the public.
Also, a class-action lawsuit has been filed against Cencora, alleging the company failed to properly safeguard patient data and delayed notifying affected individuals for nearly three months after discovering the breach.
We reached out to Cencora for a comment on this article, and a rep provided this statement:
Cencora previously disclosed that data from its information systems had been exfiltrated. Upon initial detection of the unauthorized activity, we immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.
Through our investigation, we have identified certain individuals whose personal information was involved in the incident. While there is no evidence that any of the information has been publicly disclosed or misused for fraudulent purposes, we are issuing notification to impacted individuals and working to ensure they have access to resources to help them protect their information.
The incident is fully contained and did not impact our operations. We take the security of information entrusted to us very seriously and continue to work with cybersecurity experts to reinforce our systems and information security protocols.
7 proactive steps to take in the face of healthcare cyberattacks
If you think you have been affected by the Cencora data breach, follow these steps to protect yourself and your personal data.
1) Stay informed: Keep up-to-date with the latest news from Cencora and other reliable sources to know the status of the systems and services.
2) Monitor your accounts and transactions: You should check your online accounts and transactions regularly for any suspicious or unauthorized activity. If you notice anything unusual, report it to the service provider or the authorities as soon as possible. You should also review your credit reports and scores to see if there are any signs of identity theft or fraud.
3) Use identity theft protection: Identity Theft protection companies can monitor personal information like your home title, Social Security Number (SSN), phone number, and email address and alert you if it is being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer: Get the Identity Guard Ultra protection to protect your identity and credit through tax season and beyond for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
4) Change your passwords: Although Cencora says your personal details like phone number and email address haven’t been leaked, it’s still advisable to change your passwords. Consider using a password manager to generate and store complex passwords.
5) Vigilance against phishing: Be extra cautious of phishing attempts, as cyberattacks often lead to an increase in phishing emails and calls, trying to exploit the situation. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have strong antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
6) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
7) Invest in personal data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.
A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $6.49/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 175+ data brokers. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Kurt’s key takeaways
Cencora and the recent cyberattacks on healthcare institutions suggest there’s a serious lapse in their infrastructure. Criminals shouldn’t be able to exploit these systems so easily, especially when they contain crucial information about patients. However, you can be cautious on your end. A data breach cannot be reversed, but you can protect yourself from harm by being vigilant. Do not share your personal information with anyone, and avoid clicking on links you don’t trust.
How do you evaluate the trustworthiness of websites and apps before providing your personal information? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.