Cencora Inc. (formerly AmerisourceBergen) and its subsidiary, The Lash Group, faced a massive data breach compromising personal and protected health information (PHI) of individuals across the U.S. and its territories. The incident led to a $40 million class-action settlement, with allegations that the company failed to implement adequate cybersecurity measures, exposing sensitive data to unauthorized access. Affected individuals those notified directly or via suspicious activity linked to the breach could claim up to $5,000 for documented losses (e.g., fraud, identity theft) or a pro-rata cash payment. The breach’s fallout included financial fraud risks, reputational damage, and potential long-term harm to victims, with California residents eligible for double compensation under state laws. The settlement covers administrative costs, legal fees, and payouts, with final approval pending in early 2026. Cencora denied liability but settled to avoid prolonged litigation, highlighting the severe operational and legal consequences of the data exposure.
Source: https://www.claimdepot.com/settlements/cencora-data-incident-settlement
TPRM report: https://www.rankiteo.com/company/amerisourcebergen
"id": "ame4762047092025",
"linkid": "amerisourcebergen",
"type": "Breach",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Individuals across the United '
'States and its territories '
'(exact number unspecified)',
'industry': 'Healthcare (pharmaceutical services)',
'location': 'United States',
'name': 'Cencora Inc.',
'type': 'Corporation'},
{'customers_affected': 'Individuals enrolled in or '
'inquiring about patient support '
'programs',
'industry': 'Healthcare (patient support programs)',
'location': 'United States',
'name': 'The Lash Group LLC',
'type': 'Subsidiary/Service Provider'}],
'customer_advisories': 'Eligible individuals can submit claims for documented '
'losses (up to $5,000) or pro rata cash payments by '
'Jan. 19, 2026. California residents receive double '
'the cash payment amount.',
'data_breach': {'data_exfiltration': 'Yes (alleged unauthorized use of '
'personal information)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (includes health and personally '
'identifiable information)',
'type_of_data_compromised': ['Personal information',
'Protected health information '
'(PHI)']},
'description': 'Cencora Inc. and The Lash Group LLC agreed to pay $40,000,000 '
'to settle a class action lawsuit for alleged failures to '
'protect personal information, resulting in a data breach '
'compromising the personal and protected health information of '
'individuals across the United States and its territories. The '
'breach led to a class action settlement offering payouts of '
'up to $5,000 for documented losses or pro rata cash payments '
'for affected individuals.',
'impact': {'brand_reputation_impact': 'Significant (class action settlement '
'and public disclosure)',
'customer_complaints': 'Class action lawsuit filed by affected '
'individuals',
'data_compromised': ['Personal information',
'Protected health information (PHI)'],
'financial_loss': '$40,000,000 (settlement fund)',
'identity_theft_risk': 'High (unauthorized use of personal '
'information reported)',
'legal_liabilities': "$40,000,000 settlement, attorneys' fees "
'($13,333,333.33), and other legal costs'},
'investigation_status': 'Settled (class action lawsuit resolved)',
'post_incident_analysis': {'corrective_actions': 'Settlement agreement ($40M '
'fund) and claim processing '
'for affected individuals',
'root_causes': 'Alleged failures to adequately '
'protect personal information'},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'Kroll Settlement Administration LLC'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
'$40,000,000'},
'response': {'communication_strategy': ['Mailed notices to affected '
'individuals',
'Substitute notice via Cencora’s '
'website',
'Media press releases',
'Online and paper claim forms for '
'settlement payouts'],
'recovery_measures': 'Class action settlement ($40M fund) and '
'claim processing',
'third_party_assistance': 'Kroll Settlement Administration LLC '
'(settlement administration)'},
'stakeholder_advisories': ['Mailed notices to affected individuals',
'Website and media press releases',
'Claim submission instructions (online and paper '
'forms)'],
'title': 'Cencora Inc. and The Lash Group LLC Data Breach',
'type': 'Data Breach'}