Cencora/The Lash Group Pay $40 Million to Resolve Data Breach Lawsuit

The Lash Group and Cencora have agreed to pay $40 million to resolve claims stemming from a 2024 data breach. The Lash Group, now part of Cencora (formerly AmerisourceBergen), is a pharmaceutical solutions organization that works with pharmaceutical companies, pharmacies, and healthcare providers. On February 21, 2024, it discovered unauthorized access to its network. Hackers exfiltrated files from its information systems that contained the personal information of individuals collected during past and current partnerships with organizations in connection with patient support programs. That information included names, addresses, dates of birth, Social Security numbers, diagnoses, medications, prescription information, and other sensitive data. More than 30 of its clients, mostly pharmaceutical companies, were affected. While the total number of affected individuals was not disclosed, notifications issued to state attorneys general suggest more than 1.4 million individuals had their data stolen in the attack.

Individuals affected by the data breach took legal action seeking damages and compensation for injuries sustained as a result of the data breach. The lawsuits were consolidated into a single complaint in the U.S District Court for the Eastern District of Pennsylvania (Anaya et Al. v. Cencora, Inc., et al.). The consolidated class action lawsuit alleged the defendants were negligent by failing to implement reasonable and appropriate safeguards to protect sensitive data, and had reasonable care been taken, the data breach could have been prevented.

The defendants maintain there was no wrongdoing and no liability; however, a settlement was agreed to resolve the litigation to avoid the costs, risk, and uncertainty associated with continuing the litigation and going to trial. Legal counsel for the plaintiffs agreed to a settlement as it would ensure that the plaintiffs and class members received compensation for their losses. Under the terms of the settlement, a $40 million fund will be established to cover attorneys’ fees (up to one-third of the settlement), legal costs and expenses, settlement administration costs, class representative awards, and benefits for class members.

Class members may claim up to $5,000 as reimbursement for unreimbursed, documented losses fairly traceable to the data breach. Should claims exceed $5,000,000, they will be paid pro rata. Class members who do not wish to submit a claim for reimbursement of losses may instead choose to receive a cash payment. Cash payments will be paid once all costs, expenses, and claims have been paid, and will be paid pro rata. The amount paid per class member will depend on the number of valid claims received. Further information can be found on the settlement website: cencoraincidentsettlement.com.

Cencora has confirmed that it has enhanced data security since the incident to prevent similar data breaches in the future, and will continue to review its security measures and make enhancements as necessary to better address future cybersecurity risks.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/