Cencora & The Lash Group decided to create a $40 million fund to resolve a class action data breach lawsuit over a data breach in February 2024 that affected about 1.43 million people.
Cencora, Inc., earlier known as AmerisourceBergen, is an American drug wholesale enterprise and a contract research company, while The Lash Group is a pharmaceutical solutions firm. Cencora filed the data breach report on February 21, 2024 with the U.S. Securities and Exchange Commission (SEC), revealing that the firm suffered a theft of data from its data systems.
On July 31, 2024, a new SEC filing mentioned the theft of more records than initially announced. A minimum of 27 pharmaceutical firms were impacted. The stolen personal information and PHI included names, addresses, birth dates, medical insurance info, Social Security Numbers, financial information, transactional data, consumer profile details, racial/ethnic identification, political beliefs, sexual orientation, criminal background, IP addresses, other electronic identifiers, biometric information, genetic info, trade union membership data, passport, and driver’s license numbers.
Considering that the breach was reported independently by different entities, the total number of impacted persons is unknown. According to breach reports filed with state Attorneys General and the reported number of mailed breach notification letters, there are about 1.43 million people impacted by the February security incident. Since not many states release breach report data that includes the number of impacted persons, the total figure is likely to be considerably higher than 1.43 million.
Cencora, the Lash Group, and the impacted pharmaceutical organizations faced several class action lawsuits. The legal cases were combined into one action – Anaya et Al. v. Cencora, Inc., et al. submitted in the U.S District Court for the Eastern District of Pennsylvania. Allegedly, the defendants were negligent by not implementing reasonable and suitable safety measures to secure sensitive information, thus contributing to the theft of sensitive information.
The defendants opted to resolve the lawsuit without admitting wrongdoing or liability and will create a $40 million settlement fund to pay for attorneys’ costs (about $300,000), attorneys’ fees (about $13,333,333.33), service awards (paying $42,000 to 28 class representatives, and settlement admin expenses (yet to be confirmed).
The rest of the settlement fund will take care of the class members’ benefits. Class members could opt to file a claim for payment of reported, unreimbursed out-of-pocket costs reasonably linked to the data breach, which were accrued on or after September 1, 2023. The limit of claims is $5,000 for each class member, whereas the total loss payments cap is $5,000,000. When the remaining fund is higher than the total claims, the members will be compensated pro rata. Otherwise, class members could claim a cash payment with an amount based on the number of eligible filed claims.
Submission of an exemption from or an objection to the settlement deal is 150 days from the time the court issued preliminary approval of the settlement deal. The last day to file a claim is 180 days from the time of preliminary approval. The schedule of the final approval hearing is 230 days following the preliminary approval. Claims are expected to be settled in 306 to 311 days after the preliminary approval time. For more details concerning the settlement, visit the page cencoraincidentsettlement.com