Cencora Inc. (formerly AmerisourceBergen) and its subsidiary, The Lash Group, faced a massive data breach compromising personal and protected health information (PHI) of individuals across the U.S. and its territories. The incident led to a $40 million class-action settlement, with allegations that the company failed to implement adequate cybersecurity measures, exposing sensitive data to unauthorized access. Affected individuals—those notified directly or via suspicious activity linked to the breach—could claim up to $5,000 for documented losses (e.g., fraud, identity theft) or a pro-rata cash payment. The breach’s fallout included financial fraud risks, reputational damage, and potential long-term harm to victims, with California residents eligible for double compensation under state laws. The settlement covers administrative costs, legal fees, and payouts, with final approval pending in early 2026. Cencora denied liability but settled to avoid prolonged litigation, highlighting the severe operational and legal consequences of the data exposure.

The Vermont Office of the Attorney General reported a data breach involving AmerisourceBergen Specialty Group, LLC on October 8, 2024. The breach was confirmed to have affected personal information, including names, addresses, dates of birth, health insurance information, and medical record numbers, with no evidence of fraudulent use reported. The breach occurred on August 14, 2024, when the data was exfiltrated from ABSG's information systems.

On May 31, 2024, the Vermont Office of the Attorney General reported a data breach involving AmerisourceBergen Specialty Group, LLC (ABSG). The breach was confirmed on April 3, 2024, and involved the exfiltration of personal information, including names, health information, and Medicare/Medicaid numbers, although the number of affected individuals is unknown.

In February 2024, Cencora—a Fortune 10 pharmaceutical distributor—and its subsidiary The Lash Group disclosed a massive data breach affecting over 1.4 million U.S. individuals. The incident exposed highly sensitive personal and health data, including names, addresses, Social Security numbers, dates of birth, health/insurance records, political opinions, criminal history, fingerprint data, and driver’s license/passport details. The breach impacted over 30 pharmaceutical clients, with notifications sent to state attorneys general confirming the scale. A $40 million class-action settlement was approved in July 2024, offering victims up to $5,000 for documented losses tied to identity theft, fraud, or credit monitoring. Cencora denied liability but agreed to the payout, with claims processed by Kroll Settlement Administration. The breach’s severity stems from the comprehensive exposure of personally identifiable information (PII) and protected health information (PHI), posing long-term risks of fraud, financial harm, and reputational damage to affected individuals.

Pharmaceutical distributor AmerisourceBergen suffered from a data breach incident in that hackers compromised the IT system of one of its subsidiaries after threat actors began leaking allegedly stolen data. All files are purportedly taken from AmerisourceBergen and MWI Animal Health, most likely the subsidiary that was compromised has been shared by the Lorenz ransomware organization. They promptly enlisted the necessary teams to contain the disruption, limit the infiltration, and take precautions to make sure all systems were free of any intrusions—which they are currently.