About the Cencora Lash Data Breach Settlement
If you received notice about the Cencora data security incident or believe your prescription records were compromised, you may be eligible to participate in this pharmaceutical breach settlement.
The $40 million settlement fund addresses one of the largest alleged healthcare data breach failures in recent years, potentially affecting over 1.43 million patients nationwide who were enrolled in patient support programs or received medications through participating pharmacies.
Cencora Pharmaceutical Data Breach Overview
Unauthorized parties reportedly gained access to Cencora's computer systems on February 21, 2024, which forensic investigators later confirmed involved the extensive exfiltration of data.
The breach targeted systems containing highly sensitive medical information, potentially affecting patients who received their drugs from Cencora Lash or participated in its pharmaceutical assistance programs.
Cencora and The Lash Group haven't admitted any wrongdoing, but they've agreed to pay $40 million to resolve the class action lawsuit.
Patient data exposed in cyberattack
Hackers allegedly accessed a comprehensive range of personal and medical data that class plaintiffs say could put patients at risk for years to come.
- Personal identifiers: Names, home addresses, dates of birth.
- Government-issued IDs: Social Security numbers, driver's licenses, passport information.
- Medical information: Health insurance details, medical histories, and diagnosis codes.
- Prescription data: Medication names, dosages, prescription records, pharmacy information.
- Financial records: Bank account details, transaction histories, payment information.
- Additional sensitive data: IP addresses, biometric information, even political opinions and sexual orientation, in some cases.
According to the lawsuit, the identity thieves could use this information to open fraudulent accounts, file false insurance claims, or access medical services under patients' names.
Major Drug Companies Involved in the Data Breach Incident
The Cencora data breach didn't just impact one or two companies – it affected sectors of the entire pharmaceutical industry. Class plaintiffs have named over 40 major Big Pharma manufacturers as defendants including:
- Bristol-Myers Squibb and its Patient Assistance Foundation.
- Pfizer Inc., one of the world's largest pharmaceutical companies.
- Johnson & Johnson and its patient assistance programs.
- GlaxoSmithKline and ViiV Healthcare
- AbbVie, Regeneron, and Amgen
- AstraZeneca, Eli Lilly, and Genentech
Each company maintained patient support programs through Cencora or The Lash Group.
Patients who received pharmaceutical assistance or enrolled in programs from any of the defendant manufacturers may have had their data compromised.
The Cencora settlement agreement contains a complete list of defendants.
Patient support programs hacked
Pharmaceutical patient assistance programs help individuals afford their medications.
The breach is claimed to have specifically targeted data from:
- Manufacturer assistance programs offering free or discounted medications.
- Prescription supply services managing ongoing treatments.
- Specialty pharmacy programs for complex conditions.
- Co-pay assistance initiatives reducing out-of-pocket costs.
Medical Initiatives Inc., a now-defunct Cencora subsidiary, maintained much of the allegedly compromised data.
This settlement extends to anyone who filled out applications, renewed assistance, or received benefits through Medical Initiatives between the class period.
Legal Claims in the Lawsuit
Plaintiffs alleged the companies failed to implement adequate data protection measures despite handling millions of patients' sensitive information.
The lawsuit claimed the breach itself represented a fundamental negligence in safeguarding patient data.
Specific allegations included:
- Failure to encrypt sensitive data properly
- Inadequate network monitoring systems
- Insufficient access controls for patient databases
- Delayed response to security threats
- Vulnerability in prescription privacy systems that hackers exploited
Data breach attorneys representing the class argued that Cencora's security measures fell significantly short of industry standards, leaving patient data vulnerable to unauthorized access.
AmerisourceBergen's response to the allegations
Cencora (formerly AmerisourceBergen) took a standard legal approach in responding to the class action lawsuit.
AmerisourceBergen denied all allegations of wrongdoing. However, the company took immediate action after discovering the breach.
- Engaged cybersecurity experts to investigate.
- Implemented containment measures to prevent further access.
- Began comprehensive reviews of affected systems.
- Notified law enforcement agencies.
- Informed affected individuals.
Despite maintaining their innocence, Cencora agreed to the $40 million settlement to avoid the costs and uncertainty of prolonged litigation.
Who is Eligible for the Data Breach Settlement?
The settlement class includes all Cencora patients residing in the United States or its territories whose personal information was potentially compromised in the incident.
Pharmaceutical patients may qualify as a class member if they fall into any of the following three categories:
- Direct notification recipients: Received a mailed letter from Cencora about the data security incident.
- Substitute notice viewers: Learned about the breach through Cencora's website announcement or media press releases.
- Suspicious activity experiencers: Noted unusual activity between September 1, 2023, and August 5, 2025, that could be linked to this breach.
The settlement covers a broad range of individuals because patient data flowed through multiple channels in Cencora's systems.
How to verify eligibility
Several methods can help Cencora patients determine if they can participate in this settlement:
1. Check the mail: Look for official breach notification letters from Cencora, The Lash Group, or affiliated pharmaceutical companies. These letters typically include a Class Member ID that simplifies the claims process.
2. Review medical history: Consider whether you've enrolled in any of the defendant’s patient assistance programs or if you’ve received free or discounted medications from The Lash Group. Patients who used specialty pharmacy services or participated in co-pay assistance initiatives may also qualify.
3. Monitor suspicious activity: Document any instances of unexplained medical bills or insurance claims, prescription medications never ordered, identity theft potentially linked to medical information, or fraudulent use of your Social Security number.
Patients who are unsure about eligibility can contact the settlement administrator to verify status before submitting a claim.
Settlement Fund Distribution and Proposed Payment Structure
This settlement offers two possible remedies for eligible class members.
Documented loss payment option
This option offers a maximum compensation of up to $5,000 per eligible class member. However, claimants must provide receipts and documentation for all claimed expenses.
Covered costs related to the breach may include:
- Identity theft protection services.
- Credit monitoring fees.
- Time lost from work dealing with fraud.
- Professional services (accountants, lawyers) hired due to the breach.
- Out-of-pocket costs for replacing documents.
Cash Fund Payment Option
This simpler option requires no documentation and pays out after the administrator processes all documented claims.
California residents may receive special consideration for violations of state consumer protection statutes, receiving double compensation compared to residents of other states.
How to File a Claim
Online Claim
- Visit CencoraIncidentSettlement.com
- Enter your Class Member ID - Unique identifier in the notification letter.
- Choose compensation type - Select either documented loss or cash fund payment.
- Provide required information - Fill out personal details and claim specifics.
- Select payment method - Choose from PayPal, Venmo, Zelle, or traditional check.
- Submit before January 19, 2026
Mail-In Claim
Download the PDF claim form from the settlement website. Complete all sections and attach any required documentation (copies only, never originals).
Make a copy for your records and mail the claim to: Kroll Settlement Administration LLC, P.O. Box 225391, New York, NY, 10150-539.
Your claim must be postmarked by January 19, 2026.
Proof Needed for Documented Loss Claims
Pursuing the maximum $5,000 compensation requires thorough documentation and adherence to specific guidelines.
Settlement administrators will scrutinize all supporting evidence:
- Bank statements highlighting unauthorized transactions.
- Credit card statements showing fraudulent charges.
- Identity protection service invoices.
- Receipts for credit monitoring subscriptions.
- Bills from professionals helping with breach-related issues.
- Employer letters confirming time off work.
- Pay stubs showing lost wages.
- Calendar records of time spent addressing fraud.
- Phone records showing calls to financial institutions.
- Travel receipts for trips to banks or government offices.
Remember only to submit document copies and keep all originals for your records.
Settlement Dates and Deadlines
- December 18, 2025: Exclusion and Objection
- January 19, 2026: Claim Form Deadline
- February 5, 2026: Final Approval Hearing
- Spring 2026: Expected Payment Timeline
Add Comment