Cencora Data Breach Settlement: Who Qualifies, How To Claim, What To Expect & What To Do Next

In February 2024, Cencora, Inc. (formerly AmerisourceBergen) — one of the largest pharmaceutical services providers in the United States — disclosed a significant data-security incident that potentially exposed the personal and health-related information of millions of individuals. 

Cencora works closely with healthcare providers, insurers, specialty pharmacies, and patients through subsidiaries such as The Lash Group, which handles patient-support services for numerous medications and programs. Because of the sensitive ecosystem they operate in, even a single breach can have far-reaching consequences.

In this article, we will break down the following things:

• What is the Cencora data breach lawsuit about?
• An overview of the Cencora incident settlement.
• Eligibility to be a part of this settlement.
• The settlement amount that you can get.
• How to claim your Cencora incident settlement?
• What should you do after the settlement?

Therefore, if these are a few things that you need to do, keep on reading this blog till the end…

What Is The Cencora Data Breach Lawsuit?

According to court documents, drug​‍​‌‍​‍‌​‍​‌‍​‍‌ wholesale company Cencora was negligent in its efforts to protect and secure the protected health information and personally identifiable information of its patients from “criminal hackers” in a data breach that was disclosed in May.

The class action complaint by plaintiff Keith Wolford alleges that Cencora was responsible for implementing adequate safeguards for the patients’ confidential information so as to prevent “unauthorized disclosure and ​‍​‌‍​‍‌​‍​‌‍​‍‌exfiltration.”

Top Class Actions reports “Cencora filed an official notice of a “hacking incident” with the Securities and Exchange Commission on Feb. 27, 2024, according to the Cencora class action. The lawsuit claims the company waited until on or about May 17, 2024, to send out data breach letters to individuals affected by the data breach.”

Brief Timeline Of The Breach

• February 21, 2024: Cencora first reported “unauthorized activity” within certain systems, confirming that a data breach had occurred.
• February 27–28, 2024: Cencora released public disclosures via regulatory filings and notices, indicating that attackers had exfiltrated data from certain computer systems.
• Mid–2024: Affected individuals began receiving formal notification letters, with Cencora acknowledging that personal and health-related data may have been compromised.
• 2025: Multiple lawsuits were consolidated into a class action, which eventually led to the proposed $40 million Cencora Data Incident Settlement (official settlement website: CencoraIncidentSettlement.com).
• 2026: The case continues toward final approval, set for February 5, 2026.

What Data May Have Been Exposed

According to the settlement website and related court filings, the compromised information may include:

• Full names
• Home and mailing addresses
• Email addresses
• Dates of birth
• Social Security numbers
• Medical/health information
• Insurance details (policy numbers, group numbers, plan information)
• Prescription-related information
• Patient support program enrollment details
• Limited financial identifiers (in some cases)
• Other sensitive personal data connected to The Lash Group’s patient-management programs

Because Cencora supports pharmaceutical manufacturers and healthcare providers, a wide range of patients and insurance program participants may have been indirectly affected — even if they did not directly interact with the company.

Why This Matters: The Risks For Individuals

A breach involving medical and identity-related data carries more serious risks than a typical consumer-account breach. Potential harms include:

• Identity theft and impersonation: Full identity profiles (name, address, DOB, and SSN) can be used to open fraudulent lines of credit or government accounts.
• Medical identity fraud: Criminals may use stolen health-insurance details to obtain medical services or equipment, leaving victims with incorrect medical records or bills.
• Insurance misuse: Fraudulent claims could be filed in a victim’s name.
• Financial fraud: If any financial identifiers were involved, victims may face unauthorized transactions or credit-report impacts.
• Long-term exposure: Health and identity data cannot be “reset” like a password, making long-term monitoring essential.

Given the sensitivity of the data, litigation quickly followed — ultimately resulting in the proposed $40 million class action settlement.

The Settlement: Overview Of The $40 Million Deal

According to the official settlement notice and filings cited by ClassAction.org, the proposed settlement creates a $40 million fund to compensate individuals whose information was compromised in the February 2024 incident.

The settlement involves:

• Cencora, Inc.
• Its subsidiary The Lash Group, which manages patient-support and insurance-benefit programs
• Settlement Class Members — individuals whose data was accessed or exfiltrated during the breach

This fund covers cash payments, reimbursement for documented losses, administrative costs, and attorney fees (subject to court approval).

Legal Status: Preliminary & Final Approval

The settlement has received preliminary approval, allowing claims to be submitted. According to ClassAction.org, the final approval hearing is scheduled for February 5, 2026. Once the court grants final approval and any appeals are resolved, payments can be issued.

What “Class Action Settlement” Means

A class action settlement allows large groups of affected individuals to resolve claims together, without each person having to file a separate lawsuit. Instead:

• The court reviews and approves the terms.
• Class Members can either participate, object, or opt out to preserve their right to sue independently.

Participation typically means you cannot pursue separate claims later — in exchange for receiving settlement benefits.

Beyond Money: Security Improvements Required

A meaningful part of the settlement requires Cencora to implement enhanced cybersecurity measures. According to coverage summarised by kbsd6.com, these improvements may include:

• Upgraded security monitoring
• Stronger multi-factor authentication protocols
• Enhanced employee training
• Network-segmentation improvements
• More robust data-governance practices

Such requirements aim to reduce future risks and demonstrate compliance with evolving healthcare-data protection standards.

Who Qualifies: Are You Part Of The Settlement Class?

Eligibility is broad, covering individuals in the U.S. and U.S. territories whose personal information was impacted in the incident.

Core Qualification Criteria

According to ClassAction.org and the settlement website, you may qualify if:

1. You lived in the U.S. or its territories.

2. Your personal information was accessed or exfiltrated during the February 2024 incident.

3. You either:

• Received a formal notice letter, or
• Experienced “inquiry notice”, meaning you took action or noticed issues indicating your data might have been misused (e.g., suspicious insurance activity).

What Counts As “Personal Information Involved”?

Per Claim Depot and the settlement administrator, this includes:

• Name
• Address
• Date of birth
• Social Security number
• Medical and clinical information
• Insurance details
• Treatment support program participation
• Financial or account-related identifiers
• Prescription or treatment-support program data
• Biometrics (if included in system logs)

Essentially, if Cencora maintained or processed your healthcare-related identity data, it may have been affected.

Who Is Excluded?

Per CencoraIncidentSettlement.com, certain individuals cannot submit claims:

• Judge(s) overseeing the case
• Cencora leadership and employees directly involved in security
• Legal representatives of the defendants
• Persons who opt out of the settlement
• Any entity rather than individual persons (unless specifically listed)

What You Can Get: Settlement Benefits & Payouts

The settlement provides several benefit categories.

Documented-Loss Payments — Up to $5,000

According to The HIPAA Journal, eligible class members may receive up to $5,000 if they can document actual, unreimbursed losses directly tied to the breach. For instance, these can include:

• Identity-theft-related expenses
• Fraudulent medical billing harms
• Out-of-pocket costs for credit monitoring
• Lost time spent dealing with fraud (compensable at an approved rate)
• Costs of freezing/unfreezing credit
• Replacement fees (driver’s license, ID, medical card, etc.)

A cap applies to the total pool for documented-loss reimbursements. Therefore, if claims exceed the cap, payments may be reduced pro-rata.

Cash Fund / Pro-Rata Payment (No Documentation Required)

According to Claim Depot, Class Members can also choose a cash payment requiring no receipts or proof — simply confirming eligibility.

This amount is pro-rata, meaning:

• A fixed amount of the fund is allocated for non-documented claims.
• The actual payout depends on how many people submit valid claims.
• The more participants, the smaller each payment may be.

Historically, in large healthcare-related settlements, such payments can range anywhere from $10 to $75+. However, the final number depends entirely on participation rates.

Realistic Expectations

Given the size of the class and the fixed $40M fund:

• Documented-loss claimants have potential for larger payments, but must provide proof.
• Cash-fund claimants should expect smaller payouts due to the number of affected individuals.
• If claims exceed the fund, pro-rata reductions will apply.

What Counts As Valid Losses?

Losses must be:

• Directly related to the breach, and
• Not previously reimbursed by a bank, insurer, or other entity.

For instance, typically accepted losses include:

• Identity-theft remediation costs
• Fraudulent medical or insurance charges
• Out-of-pocket expenses for credit protection
• Charges for account recovery or document replacement
• Time spent (documented and reasonable)

How To Claim Cencora Incident Settlement: Step-by-Step Guide

Here are the steps that you need to follow when it comes to claiming your share of the Cencora incident settlement:

Where To File: Official Website

Claims must be filed through the official settlement website, which is CencoraIncidentSettlement.com.

You can submit:

• An online claim form, or
• A printed form by mail

Key Dates & Deadlines

Per the settlement notice:

• Opt-Out / Exclusion Deadline: December 18, 2025
• Claim Submission Deadline: January 19, 2026
• Final Approval Hearing: February 5, 2026

What You Need To File

Based on ClassAction.org guidance, here are some of the things that you need to file:

1. For a documented-loss claim:

• Receipts, invoices, or bills showing expenses
• Proof the cost was breach-related
• Evidence of identity-theft issues or fraudulent activity
• Records of time spent resolving issues

2. For a simple cash claim:

• Your name, address, and contact info
• Confirmation of eligibility
• Class Member ID (if you received a notice) or other verification

Read Also: The USAA Data Breach Settlement- Your Guide To Claims And Compensation

What Happens After You File For Cencora Incident Settlement?

According to Claim Depot, the process is:

1. Administrator reviews your claim for completeness and eligibility.
2. Invalid claims may be rejected or require clarification.
3. Once the settlement receives final court approval, payments are processed.
4. If many claims are filed, pro-rata adjustments will occur.
5. Payments typically issue several months after final approval unless appeals delay the process.

Opting Out Or Objecting

You may:
• Opt out if you want to retain your right to sue Cencora independently.
• Object if you have concerns about the settlement terms but still want benefits.

Opting out means you will not receive any settlement payment.

Common Concerns & What This Settlement Doesn’t Do

Here are some of the common concerns related to the Cencora incident settlement that you need to know about:

1. No Admission of Wrongdoing

Firstly, per Claim Depot and official filings, Cencora does not admit liability or wrongdoing by agreeing to settle. This is standard in data-breach settlements.

2. Payouts May Be Limited

Secondly, because the number of affected individuals is large, cash payments may be modest once divided. Documented-loss payments face caps as well.

3. Documentation Requirements May Burden Claimants

Thirdly, people without receipts or proof of loss may only qualify for smaller, pro-rata payments.

4. No Guaranteed Full Reimbursement

If claims exceed available funds, pro-rata reductions apply — meaning even documented losses may not be fully reimbursed.

5. International Individuals Likely Not Covered

Finally, the settlement applies only to U.S. residents and territories, so any international individuals (if affected) may not receive compensation.

After The Settlement: What You Should Do Next?

Regardless of whether you file a claim, best-practice steps include:

1. Monitor Your Credit & Financial Accounts

• Check monthly statements for fraud.
• Monitor major credit bureaus for new accounts or changes.

2. Enroll In Credit Monitoring

If you accept the cash payout instead of monitoring services, you may still want to purchase monitoring independently.

3. Update Passwords & Use MFA

Enable multi-factor authentication on:

• Email
• Banking
• Insurance portals
• Patient portals

4. Be Alert To Phishing Scams

Scammers often impersonate settlement administrators. Never share SSNs or banking details by email or phone.

5. Save Copies Of Your Claim

If the administrator requests clarification later, having documents on hand helps avoid delays.

Read Also: Claim Your Payout: What The Robinhood Data Breach Class Action Means

Critical Reflection: Is $40 Million Enough? What This Settlement Means

While the settlement provides meaningful compensation and imposes new security requirements, many observers question whether $40 million is adequate for a breach affecting such sensitive health-related data.

Proportionality Concerns

If millions were affected, the per-person payout could be small. Besides, healthcare data is extremely valuable on the black market, and victims can face years of risk.

Corporate Responsibility & Deterrence

Such settlements raise questions:

• Are financial payouts enough to push companies toward stronger security?
• Or are such settlements simply absorbed as the “cost of doing business”?

Healthcare and pharmaceutical data handlers face increasing regulatory scrutiny, but breaches continue to rise.

Lessons For Individuals

• Personal data may be processed by companies we’ve never heard of — and we rely on them to keep it safe.
• Data breach notifications can occur months after incidents, so monitoring is crucial.
• Class actions offer access to compensation without hiring a lawyer.

Lessons For Organizations

• Prompt detection and disclosure are essential.
• Investing in data security may cost far less than breach remediation.
• Transparent communication builds trust and reduces litigation risk.