In February 2024, Cencora a Fortune 10 pharmaceutical distributor and its subsidiary The Lash Group disclosed a massive data breach affecting over 1.4 million U.S. individuals. The incident exposed highly sensitive personal and health data, including names, addresses, Social Security numbers, dates of birth, health/insurance records, political opinions, criminal history, fingerprint data, and driver’s license/passport details. The breach impacted over 30 pharmaceutical clients, with notifications sent to state attorneys general confirming the scale. A $40 million class-action settlement was approved in July 2024, offering victims up to $5,000 for documented losses tied to identity theft, fraud, or credit monitoring. Cencora denied liability but agreed to the payout, with claims processed by Kroll Settlement Administration. The breach’s severity stems from the comprehensive exposure of personally identifiable information (PII) and protected health information (PHI), posing long-term risks of fraud, financial harm, and reputational damage to affected individuals.
TPRM report: https://www.rankiteo.com/company/amerisourcebergen
"id": "ame4532245093025",
"linkid": "amerisourcebergen",
"type": "Breach",
"date": "2/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.4+ million individuals',
'industry': 'Pharmaceutical Distribution',
'location': 'Conshohocken, Pennsylvania, U.S.',
'name': 'Cencora (formerly AmerisourceBergen)',
'size': 'Large (Fortune 10, $316.65B revenue)',
'type': 'Public Company'},
{'customers_affected': '1.4+ million individuals '
'(shared with Cencora)',
'industry': 'Patient Support Programs',
'location': 'U.S.',
'name': 'The Lash Group',
'type': 'Subsidiary'},
{'industry': 'Pharmaceutical',
'location': 'U.S.',
'name': '30+ Pharmaceutical Companies (clients)',
'type': 'Corporate Clients'}],
'customer_advisories': 'Eligible individuals can file claims for up to $5,000 '
'in reimbursement for documented losses or a cash '
'payment (no documentation required). Deadline: '
'2026-01-19.',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '1.4+ million (estimated)',
'personally_identifiable_information': 'Yes (comprehensive '
'PII)',
'sensitivity_of_data': 'High (includes SSNs, health data, '
'biometrics)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Biometric Data',
'Government-Issued IDs']},
'date_publicly_disclosed': '2024-02-27',
'description': 'A massive data breach disclosed by Cencora (formerly '
'AmerisourceBergen) and its subsidiary The Lash Group in '
'February 2024, exposing sensitive personal information of '
'over 1.4 million individuals in the U.S. The breach affected '
'over 30 clients, primarily pharmaceutical companies, and led '
'to a $40 million class action settlement. Compromised data '
'included names, addresses, dates of birth, Social Security '
'numbers, health/insurance information, political opinions, '
"criminal history, fingerprint data, and driver's "
'license/passport information.',
'impact': {'brand_reputation_impact': 'Significant (settlement and public '
'disclosure)',
'customer_complaints': 'Class action lawsuit filed (Anaya, et al. '
'v. Cencora, Inc.)',
'data_compromised': ['Names',
'Addresses',
'Dates of birth',
'Social Security numbers',
'Health and insurance information',
'Political opinions',
'Criminal history',
'Fingerprint information',
"Driver's license information",
'Passport information'],
'financial_loss': '$40 million (settlement fund)',
'identity_theft_risk': 'High (sensitive PII exposed)',
'legal_liabilities': '$40 million settlement (pending final '
'approval)'},
'investigation_status': 'Ongoing (settlement pending final approval on '
'2026-02-06)',
'post_incident_analysis': {'corrective_actions': '$40 million settlement fund '
'for affected individuals'},
'references': [{'source': 'USA TODAY (via Lori Comstock, Mid-Atlantic Connect '
'Team)'},
{'source': 'Cencora Incident Settlement Website',
'url': 'https://www.cencoraincidentsettlement.com'},
{'source': 'U.S. District Court (Eastern Pennsylvania) - '
'Preliminary Approval (July 2024)'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit (Anaya, et '
'al. v. Cencora, Inc.)',
'$40 million settlement (pending '
'final approval)'],
'regulatory_notifications': ['U.S. Securities and '
'Exchange Commission '
'(SEC)',
'State Attorneys '
'General']},
'response': {'communication_strategy': ['Mailed notices to affected '
'individuals',
'Public settlement website '
'(www.cencoraincidentsettlement.com)',
'Toll-free helpline (833-621-8029)'],
'incident_response_plan_activated': 'Yes (disclosure to SEC and '
'state attorneys general)',
'recovery_measures': '$40 million settlement fund',
'third_party_assistance': ['Kroll Settlement Administration '
'(claims handling)']},
'stakeholder_advisories': ['Mailed notices to affected individuals',
'Public settlement website',
'Toll-free helpline'],
'title': 'Cencora Data Security Incident',
'type': ['Data Breach', 'Class Action Lawsuit']}