Cencora/Lash Group Faces Class Action Lawsuit Over Cyberattack

Cencora Inc. and The Lash Group LLC are facing a data breach-related lawsuit filed by plaintiff Keith Wolford. Allegedly, the defendants were unable to enforce reasonable and proper safety measures to protect the privacy of personally identifiable information (PII) and protected health information (PHI) covered by HIPAA laws. Because of those failures, patient data was impermissibly exposed to threat actors.

Cencora, a wholesale drug firm previously called AmerisourceBergen and its parent company called The Lash Group, reported in May 2024 the unauthorized access to its network by a third party and exfiltration of sensitive information. According to the forensic investigation, the stolen information included personal and health data like first and last names, birth dates, diagnoses, and/or prescription drugs. In May 2024m breach notifications were sent to the impacted persons who also received credit monitoring and remediation services for free for 2 years.

Cencora informed the Securities and Exchange Commission (SEC) regarding the cyberattack on February 27, 2024. AmerisourceBergen Specialty Group, LLC informed the HHS’ Office for Civil Rights regarding the breach by sending two breach notices on May 31, 2024, indicating that 255,316 persons were affected. About 2 dozen pharmaceutical and biotechnology companies were impacted. Notification letters were sent to the impacted people on May 27, 2024.

Aside from being unable to secure patient information, the lawsuit claims there was an unnecessary slowdown in providing individual breach notification letters. Notification letters were sent after three months of notifying the SEC about the cyberattack. Because of this, the plaintiff and class members did not know that they were at a higher risk of identity theft, fraud, and other harm for three months, thus missing the chance to do something to secure against personal, financial, and social problems.

The lawsuit states the actions or inaction of Cencora Inc. and The Lash Group LLC equates to unjust enrichment, negligence, negligence per se, breach of fiduciary duty, and breach of implied contract. The lawsuit was submitted in the U.S. District Court for the Northern District of California by plaintiff and class legal representatives Nicholas Sandercock, Tyler J. Bean, and Mason A. Barney of Siri & Glimstad LLP. The lawsuit wants a jury trial, class certification, an award of statutory and actual damages, and declaratory and injunctive relief.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA