On May 22, 2024, Lash Group, a division of Cencora, filed a notice with the Attorney General of California, explaining that a recent data breach resulted in confidential information in the company’s possession being accessible to an unauthorized party. In this notice, Lash Group explains that the incident resulted in an unauthorized party being able to access sensitive information belonging to patients enrolled in “patient support programs” through Novartis Pharmaceuticals Corporation (“Novartis”), including their names, addresses, dates of birth, medical information, and prescription medications. Upon completing its investigation, Lash Group began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.
If you received a data breach notification from Lash Group about information you had provided to Novartis, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the Lash Group / Novartis data breach. For more information, please see our recent piece on the topic here.
What Caused the Data Breach Affecting Novartis Patients?
The Lash Group data breach was only recently announced, and more information is expected in the near future. However, Lash Group’s filing with the Attorney General of California provides some important information on what led up to the breach. According to this source, Lash Group provides certain services to Novartis, including overseeing Novartis’ patient support programs.
On February 21, 2024, Cencora, Lash Group’s parent company, learned that certain information that was stored on its IT network had been exfiltrated. In response, Lash Group / Cencora contained the incident and then launched an investigation with the help of law enforcement and external cybersecurity specialists.
On April 10, 2024, Lash Group / Cencora confirmed that information belonging to certain Novartis patients was among that which was removed from Lash Group’s IT network.
After learning that sensitive consumer data was accessible to an unauthorized party, Lash Group reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, date of birth, medical information, and prescription medications.
On May 22, 2024, Lash Group sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.
More Information About Lash Group & Novartis
Founded in 1986 and based in Fort Mill, South Carolina, Lash Group is a division of Cencora (formerly AmerisourceBergen Corporation). Lash Group provides patient access services to pharmaceutical companies. Lash Group has more than 4,000 employees and generates roughly $845 million in annual revenue.
Novartis is a Swiss multinational pharmaceutical company with its headquarters in Basel, Switzerland. Novartis manufactures several well-known drugs, including Clozapine (Clozaril), Diclofenac (Voltaren), Carbamazepine (Tegretol), Valsartan (Diovan), Imatinib mesylate (Gleevec/Glivec), Cyclosporine (Neoral/Sandimmune). Novartis employs approximately 76,000 people and generates over $76 billion in annual revenue.
