Cencora building

Lash Group Cencora Settlement for Data Breach Patients Reaches $40M

Major drug companies settle a healthcare privacy breach that allegedly impacted millions of patient prescription records.

  • Data Breach Lawsuit

Last Update

lawsuitlike
lawsuitlike
lawsuitlike

About the Cencora Lash Data Breach Settlement

 

If you received notice about the Cencora data security incident or believe your prescription records were compromised, you may be eligible to participate in this pharmaceutical breach settlement. 

 

The $40 million settlement fund addresses one of the largest alleged healthcare data breach failures in recent years, potentially affecting over 1.43 million patients nationwide who were enrolled in patient support programs or received medications through participating pharmacies.

 

Cencora Pharmaceutical Data Breach Overview

Unauthorized parties reportedly gained access to Cencora's computer systems on February 21, 2024, which forensic investigators later confirmed involved the extensive exfiltration of data. 

 

The breach targeted systems containing highly sensitive medical information, potentially affecting patients who received their drugs from Cencora Lash or participated in its pharmaceutical assistance programs.

 

Cencora and The Lash Group haven't admitted any wrongdoing, but they've agreed to pay $40 million to resolve the class action lawsuit. 

 

Patient data exposed in cyberattack

Hackers allegedly accessed a comprehensive range of personal and medical data that class plaintiffs say could put patients at risk for years to come.

  • Personal identifiers: Names, home addresses, dates of birth.
  • Government-issued IDs: Social Security numbers, driver's licenses, passport information.
  • Medical information: Health insurance details, medical histories, and diagnosis codes.
  • Prescription data: Medication names, dosages, prescription records, pharmacy information.
  • Financial records: Bank account details, transaction histories, payment information.
  • Additional sensitive data: IP addresses, biometric information, even political opinions and sexual orientation, in some cases.

 

According to the lawsuit, the identity thieves could use this information to open fraudulent accounts, file false insurance claims, or access medical services under patients' names. 

 

Major Drug Companies Involved in the Data Breach Incident

The Cencora data breach didn't just impact one or two companies – it affected sectors of the entire pharmaceutical industry. Class plaintiffs have named over 40 major Big Pharma manufacturers as defendants including:

  • Bristol-Myers Squibb and its Patient Assistance Foundation.
  • Pfizer Inc., one of the world's largest pharmaceutical companies.
  • Johnson & Johnson and its patient assistance programs.
  • GlaxoSmithKline and ViiV Healthcare
  • AbbVie, Regeneron, and Amgen
  • AstraZeneca, Eli Lilly, and Genentech

 

Each company maintained patient support programs through Cencora or The Lash Group.

 

Patients who received pharmaceutical assistance or enrolled in programs from any of the defendant manufacturers may have had their data compromised. 

 

The Cencora settlement agreement contains a complete list of defendants.

 

Patient support programs hacked

Pharmaceutical patient assistance programs help individuals afford their medications. 

 

The breach is claimed to have specifically targeted data from:

  • Manufacturer assistance programs offering free or discounted medications.
  • Prescription supply services managing ongoing treatments.
  • Specialty pharmacy programs for complex conditions.
  • Co-pay assistance initiatives reducing out-of-pocket costs.

 

Medical Initiatives Inc., a now-defunct Cencora subsidiary, maintained much of the allegedly compromised data. 

 

This settlement extends to anyone who filled out applications, renewed assistance, or received benefits through Medical Initiatives between the class period.

 

Legal Claims in the Lawsuit

Plaintiffs alleged the companies failed to implement adequate data protection measures despite handling millions of patients' sensitive information. 

 

The lawsuit claimed the breach itself represented a fundamental negligence in safeguarding patient data.

 

Specific allegations included:

  • Failure to encrypt sensitive data properly
  • Inadequate network monitoring systems
  • Insufficient access controls for patient databases
  • Delayed response to security threats
  • Vulnerability in prescription privacy systems that hackers exploited

 

Data breach attorneys representing the class argued that Cencora's security measures fell significantly short of industry standards, leaving patient data vulnerable to unauthorized access.

 

AmerisourceBergen's response to the allegations 

Cencora (formerly AmerisourceBergen) took a standard legal approach in responding to the class action lawsuit. 

 

AmerisourceBergen denied all allegations of wrongdoing. However, the company took immediate action after discovering the breach.

  • Engaged cybersecurity experts to investigate.
  • Implemented containment measures to prevent further access.
  • Began comprehensive reviews of affected systems.
  • Notified law enforcement agencies.
  • Informed affected individuals.

 

Despite maintaining their innocence, Cencora agreed to the $40 million settlement to avoid the costs and uncertainty of prolonged litigation.

Who is Eligible for the Data Breach Settlement?

The settlement class includes all Cencora patients residing in the United States or its territories whose personal information was potentially compromised in the incident.

 

Pharmaceutical patients may qualify as a class member if they fall into any of the following three categories:

  • Direct notification recipients: Received a mailed letter from Cencora about the data security incident.
  • Substitute notice viewers: Learned about the breach through Cencora's website announcement or media press releases.
  • Suspicious activity experiencers: Noted unusual activity between September 1, 2023, and August 5, 2025, that could be linked to this breach.

 

The settlement covers a broad range of individuals because patient data flowed through multiple channels in Cencora's systems.

 

How to verify eligibility

Several methods can help Cencora patients determine if they can participate in this settlement:

 

1. Check the mail: Look for official breach notification letters from Cencora, The Lash Group, or affiliated pharmaceutical companies. These letters typically include a Class Member ID that simplifies the claims process.

 

2. Review medical history: Consider whether you've enrolled in any of the defendant’s patient assistance programs or if you’ve received free or discounted medications from The Lash Group. Patients who used specialty pharmacy services or participated in co-pay assistance initiatives may also qualify.

 

3. Monitor suspicious activity: Document any instances of unexplained medical bills or insurance claims, prescription medications never ordered, identity theft potentially linked to medical information, or fraudulent use of your Social Security number.

 

Patients who are unsure about eligibility can contact the settlement administrator to verify status before submitting a claim.

 

Settlement Fund Distribution and Proposed Payment Structure

This settlement offers two possible remedies for eligible class members. 

 

Documented loss payment option

This option offers a maximum compensation of up to $5,000 per eligible class member. However, claimants must provide receipts and documentation for all claimed expenses.

 

Covered costs related to the breach may include:

  • Identity theft protection services.
  • Credit monitoring fees.
  • Time lost from work dealing with fraud.
  • Professional services (accountants, lawyers) hired due to the breach.
  • Out-of-pocket costs for replacing documents.

 

Cash Fund Payment Option

This simpler option requires no documentation and pays out after the administrator processes all documented claims.

 

California residents may receive special consideration for violations of state consumer protection statutes, receiving double compensation compared to residents of other states.

 

How to File a Claim 

 

Online Claim 

  1. Visit CencoraIncidentSettlement.com
  2. Enter your Class Member ID - Unique identifier in the notification letter.
  3. Choose compensation type - Select either documented loss or cash fund payment.
  4. Provide required information - Fill out personal details and claim specifics.
  5. Select payment method - Choose from PayPal, Venmo, Zelle, or traditional check.
  6. Submit before January 19, 2026 

 

Mail-In Claim 

Download the PDF claim form from the settlement website. Complete all sections and attach any required documentation (copies only, never originals).

 

Make a copy for your records and mail the claim to: Kroll Settlement Administration LLC, P.O. Box 225391, New York, NY, 10150-539.

 

Your claim must be postmarked by January 19, 2026.

Proof Needed for Documented Loss Claims

Pursuing the maximum $5,000 compensation requires thorough documentation and adherence to specific guidelines. 

 

Settlement administrators will scrutinize all supporting evidence:

  • Bank statements highlighting unauthorized transactions.
  • Credit card statements showing fraudulent charges.
  • Identity protection service invoices.
  • Receipts for credit monitoring subscriptions.
  • Bills from professionals helping with breach-related issues.
  • Employer letters confirming time off work.
  • Pay stubs showing lost wages.
  • Calendar records of time spent addressing fraud.
  • Phone records showing calls to financial institutions.
  • Travel receipts for trips to banks or government offices.

 

Remember only to submit document copies and keep all originals for your records. 

 

Settlement Dates and Deadlines

 

  • December 18, 2025: Exclusion and Objection 
  • January 19, 2026: Claim Form Deadline
  • February 5, 2026: Final Approval Hearing
  • Spring 2026: Expected Payment Timeline

Frequently Asked Questions (FAQ)

Yes, you can still file a claim without a notification letter. If you participated in any patient assistance program through The Lash Group or received medications from the affected pharmaceutical companies between September 1, 2023, and August 5, 2025, you may be eligible. The settlement administrator can verify your eligibility using alternative documentation, such as pharmacy records or program enrollment proof, when you submit your claim through the official settlement website.

 

The documented loss payment requires you to submit receipts and proof of expenses directly related to the data breach, such as identity theft protection services or time lost from work due to the incident. You can claim up to $5,000, but you must provide documentation for every expense. The cash fund payment requires no documentation and provides an equal share of the remaining settlement funds to all approved claimants, with California residents receiving double the standard amount.

 

The cyberattack exposed extensive personal and medical information, including names, addresses, Social Security numbers, health insurance details, medical histories, prescription records, medication details, financial information, driver's license numbers, and passport information. Some individuals also had biometric data, genetic information, and even sensitive personal details like political opinions or sexual orientation exposed, depending on what information was collected through their specific patient assistance program.

 

No, you don't need an attorney to file your claim for the Cencora settlement. The settlement administrator designed the claims process for individuals to complete on their own through the official website CencoraIncidentSettlement.com or by mailing a paper form. The settlement administrator provides free assistance if you have questions, and the online system guides you through each step. However, if you choose to exclude yourself from the settlement to pursue individual litigation, consulting with a data breach attorney would be advisable.

This is an advertisement. OnlyClassActions is not a law firm or referral service, and we do not provide legal advice. OnlyClassActions provides a free service for individuals seeking legal representation, and we do not charge you to be connected with an attorney. We do not recommend or endorse any attorneys that pay to participate. OnlyClassActions utilizes a pool of attorneys in each jurisdiction, and attorneys are selected through a round-robin process without our evaluating your legal situation when selecting which attorney will receive your information. OnlyClassActions makes no representation about the quality of legal services or the qualifications of any attorney participating in our pool. Information you submit will be shared with third-party attorney(s). An attorney-client relationship is not formed when you submit information through the form. Hiring a lawyer is a critical decision and should not be predicated solely on comments, advertisements, or other content found on any website. You are under no obligation to retain a lawyer who contacts you through this service.

Add Comment