2024-02-27 Cencora, Inc. Cybersecurity Incident

Page last updated on August 21, 2024

Cencora, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2024-02-27 17:15:26 EST.

Company Summary

Cencora is a global healthcare company that advances the development and delivery of pharmaceuticals and healthcare products. (Source: Crunchbase)

Incident Details

Material: Unknown
Is Breach: TRUE
Records Compromised: Unknown
Data Types Impacted: Name, Home address, Date of Birth, Health data

Compromised Date:
Detected Date: 2024-02-21
Disclosure Date: 2024-02-27
Contained Date: 2024-07-31
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2024-02-27

Cencora, Inc. filed an 8-K at 2024-02-27 17:15:26 EST
Accession Number: 0001104659-24-028288

Item 1.05 Material Cybersecurity Incidents.

On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.

As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

8-K/A filed on 2024-07-31

Cencora, Inc. filed a 8-K/A at 2024-07-31 16:12:40 EDT
Accession Number: 0001104659-24-084351

Item 1.05 Material Cybersecurity Incidents.

In the Original Report the Company disclosed that it learned, on February 21, 2024, that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.

Through that investigation, the Company learned that additional data, beyond what was initially identified, had been exfiltrated. The Company has identified and completed its review of most of the exfiltrated data (the “Data”). This review has confirmed that the Data included personally identifiable information (“PII”) and protected health information (“PHI”) of individuals, most of which is maintained by a Company subsidiary that provides patient support services.

For PII and PHI discovered in the Data to date, the Company has provided required notifications to potentially affected parties and individuals as well as regulatory agencies. The Company continues to review the Data and it intends to provide any additional required notifications to affected and potentially affected parties and appropriate regulatory agencies. The Company has no evidence that any of the Data has been or will be publicly disclosed.

The Company believes it has contained the incident, and the Company has undertaken remediation efforts, which are ongoing. As part of its remediation efforts, the Company is working with cybersecurity experts to reinforce its systems, strengthen its surveillance of cybersecurity threats and prevent unauthorized occurrences on or conducted through its IT systems.

The incident has not had a material impact on the Company’s operations, and its information systems have continued to be fully operational. The Company does not believe the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

Company Information