Leading drug distributor Cencora has disclosed a cybersecurity incident where data from its information systems was compromised, potentially containing personal information.
The breach was discovered on February 21 2024, according to a Securities and Exchange Commission (SEC) filing published on the same day.
“Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel,” reads the filing.
Cencora specializes in pharmaceutical services, distributing drugs and solutions for medical offices, pharmacies and veterinary care. The company had a revenue of $262.2bn in fiscal year 2023 and approximately 46,000 employees.
“Healthcare organizations are very attractive to threat actors because of the wide range of IoT devices and applications used, ranging from systems like EPIC all the way to security cameras, printers and access control systems,” commented Viakoo CEO, Bud Broomhead.
“IoT security is often viewed as the weakest part of an organization’s security; seeing visible efforts by healthcare organizations to improve their IoT security will give confidence to the patients, shareholders and employees that get hurt by cyber-attacks.”
Read more on IoT security: Half of IT Leaders Identify IoT as Security Weak Point
As of the filing date, Cencora states that the incident has not materially impacted its operations, and its systems remain operational.
However, the company has also “not yet determined whether the incident is reasonably likely to materially impact [its] financial condition or results of operations.”
According to Claude Mandy, chief evangelist of data security at Symmetry Systems, it is concerning, though not entirely unexpected, that Cencora cannot conclusively confirm whether the exfiltrated data includes personal information.
“The lack of visibility into what data organizations hold is driving huge adoption of modern data security tools,” Mandy said.
Cencora said updates on the investigation will be provided in compliance with regulatory requirements.