Cencora Data Breach Lawsuit: Half a Million Patients Exposed in Cyberattack

Two pharmaceutical companies have been slammed with a lawsuit after they suffered a cyberattack that exposed the private health information of more than half-a-million of its clients.

Plaintiff Kelvin James filed the proposed class action lawsuit against drug wholesale company Cencora Inc. and its subsidiary The Lash Group LLC on May 30 in a Pennsylvania federal court, alleging negligence and breach of implied contract. 

Cencora, formerly known as AmerisourceBergen, is a drug wholesale company and Lash Group, its subsidiary, connects creators of pharmaceutical products with providers who care for patients. 

James is suing the pair after they were allegedly hit with a “massive and preventable” cyberattack, discovered Feb. 21, 2024, which exposed the data of at least 540,000 of their customers. 

Customers’ Private Health Information Exposed, Lawsuit Says

James says the cyberattack targeted customers’ private health information on the companies’ information network, including full name, date of birth, health diagnosis, medications and prescriptions.

It was negligence that led to the cybercriminals infiltrating the companies’ inadequately protected network servers and accessing the highly sensitive information, James alleges.

“Defendants disregarded the rights of [James and the class] by intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate and reasonable measures to ensure that [their private information] was safeguarded,” the lawsuit states.

Drug Companies Failed To Inform Consumers About Data Breach

James says the companies put consumers further at risk by neglecting to inform them of the breach until more than three months after it was discovered.

He says, while they claim to have discovered the breach as early as Feb. 1, 2024, they did not inform victims of the data breach until May 17. 

James claims he and other victims were “wholly unaware of the data breach” until they received letters informing them of it.

Customers Put at Risk of Identity Fraud, Wasted Time

According to the Cencora lawsuit, James says he and others have suffered from the data breach and will continue to suffer harm.

James is a patient with the companies, and therefore provided them with his name, date of birth, and full health, insurance, and financial information. He says he’s normally very careful with his data, however he trusted the companies to protect it. 

“James would not have entrusted his Private Information to Defendants had he known of Defendants’ lax data security policies,” the lawsuit says. 

James says, after the data breach his credit score was damaged, he had suffered suspicious unauthorized account openings and transactions and lost time checking his accounts.

This lawsuit is the latest in a wave of lawsuits Cencora has faced in the wake of the data breach, Bloomberg reports. At least four other lawsuits have been filed in the past several weeks.

In the Cencora Lash Group data breach class action lawsuit, James seeks to represent a nationwide class of patients whose information was compromised in the Cencora Lash Group data breach. He alleges negligence, breach of implied contract, and unjust enrichment, seeking damages, legal fees, and a court order mandating enhanced cybersecurity measures from the companies involved.

Case Details

• Lawsuit: James v. Cencora Inc et al.
• Case Number: 2:24-cv-02304-CMR
• Court: U.S. District Court for the Eastern District of Pennsylvania

Plaintiffs' Attorneys

• Patrick Howard (Saltz, Mongeluzzi & Bendesky P.C.)
• Daniel Srourian (Srourian Law Firm P.C.)