Class Action Lawsuit Filed Against Cencora/Lash Group Over Cyberattack
A lawsuit has been filed against Cencora Inc. and The Lash Group LLC over a recently disclosed data breach. The lawsuit, which is likely to be one of many, names Keith Wolford as the plaintiff, and alleges the defendants failed to implement reasonable and appropriate safeguards to ensure the confidentiality of personally identifiable and protected health information. As a result of those failures, patient data has been impermissibly disclosed to cybercriminals.
Cencora, a wholesale drug company formerly known as AmerisourceBergen and the parent company of The Lash Group, announced in May 2024 that an unauthorized third party accessed its network and exfiltrated sensitive data. The forensic investigation confirmed that the stolen data included personal and health information such as first names, last names, dates of birth, diagnoses, and/or medications and prescriptions. Notifications were issued to the affected individuals in May 2024 and free credit monitoring and remediation services have been offered for 24 months.
Cencora notified the Securities and Exchange Commission (SEC) about the attack on February 27, 2024, and AmerisourceBergen Specialty Group, LLC notified the HHS’ Office for Civil Rights about the breach in two breach notices on May 31, 2024, affecting a total of 255,316 individuals. Around 2 dozen pharmaceutical and biotechnology firms have been affected. Notification letters were mailed to the affected individuals on May 27, 2024.
In addition to failing to adequately protect patient data, the lawsuit alleges there has been an unnecessary delay in issuing individual notification letters, which were sent three months after the SEC was notified about the cyberattack. As a result, for three months the plaintiff and class members were unaware that they had been placed at an increased risk of identity theft, fraud, and other harms, denying them the opportunity to take steps to protect against personal, social, and financial harm.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the actions/inaction of the defendants amounts to negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of fiduciary duty. The lawsuit was filed in the U.S. District Court for the Northern District of California and the plaintiff and class are represented by Nicholas Sandercock, Mason A. Barney, and Tyler J. Bean of Siri & Glimstad LLP. The lawsuit seeks class certification, a jury trial, declaratory and injunctive relief, and an award of statutory and actual damages.
