Pharma Industry Data Breaches: Why is Pharma an Appealing Target?

As the internet continues to change and grow in terms of development and innovation, so too does the potential for nefarious actors to take advantage of people, businesses and institutions that operate online, and recent years have shown just this.

While the pharmaceutical industry has been around for a long time, its shift to the internet, alongside most other industries, has created increased potential for data breaches.

Unfortunately, however, its appeal to hackers and other parties with ill intentions seems to be significantly more than other ordinary industries, making pharma a serious target for cyber attacks.

But, what is it that makes the pharmaceutical industry an attractive target for cyber attacks?

Most of all, it’s a combination of the industry holding a great deal of sensitive, and subsequently valuable, data, and the industry’s vulnerabilities in keeping said data safe, but let’s have a closer look at why this is, how it works and what pharmaceutical companies are doing to fight back.

 

Why Is the Pharma Industry a Target for Data Breaches?

 

The generally accepted reason for pharmaceutical companies being common targets of cyber attacks is that they hold valuable information and there are many ways in which this data can be accessed (in theory) – but this is putting it simply.

We’re going to break down some of the most significant factors that make pharma a target.

 

1. Valuable Data and Sensitive Information 

 

Pharmaceutical companies hold a lot of valuable data and sensitive information, of which there are two main types.

First, these companies are involved in conducting research and recieving results regarding new medical research at various stages in the research process.

This research information is incredibly valuable due to patenting issues during medical trials, manufacturing and so on.

This creates an opportunity for cyber criminals to attempt to steal this kind of valuable information and either distribute it, sell it or find another way to use it to their advantage.

Second, pharmaceutical companies are given access to a large amount of personal information about patients, results from clinical trials, regulatory filings and more.

The publication of this information would be incredibly problematic, increasing the incentive for it to be stolen for the purpose of, for instance, identity theft, sale on the black market, fraud or any other number of dodgy dealings.

 

2. Vulnerabilities in Supply Chains

 

The general notion of the vulnerability of supply chains adheres to a fairly simple rule – the longer the chain, the more opportunity for things to go wrong.

Unfortunately, supply chains in pharma are notoriously long, made up of a complex network of partners, providers, suppliers and vendors.

Thus, every additional link in the chain represents an opportunity for compromised security and the potential for a data breach.

For the pharmaceutical industry, as a whole, to be safe, every single link in the supply chain needs to be absolutely solid in terms of safety and security, which is difficult to manage and, ultimately, achieve.

 

3. Exploitation of Regulatory Compliance

 

Since the pharmaceutical industry has access to such important, classified information, it is subject to a plethora of rules and regulations.

There are fairly major penalties for non-compliance, both from regulatory bodies and in terms of a general loss of confidence in companies’ ability to protect sensitive information.

Thus, this has become an additional vulnerability for pharmaceutical companies. Cybercriminals can try to exploit weaknesses within companies’ regulatory compliance to either deliberately cause violations or interrupt operations.

 

 

4. Dramatic Consequences 

 

As is already clear, the consequences of interfering with the pharmaceutical company, by leaking sensitive data and information or disrupting operations, can have far-reaching effects due to the enormity and universality of the pharmaceutical industry.

This means that a cyberattack on a pharmaceutical company can have not only national by global effects too.

 

5. Significant Potential for Financial Gain

 

The importance and value of the information held by pharmaceutical companies relates directly to cybercriminals potential for financial gain. That is, the more valuable the information, the more money they stand to make from stealing or compromising it.

This financial gain may come in the form of ransomware attacks or the use of stolen information for insider trading, for instance.

 

6. Cybersecurity in Pharma is Still Developing

 

Unfortunately, a big problem in the pharmaceutical company, and another thing that makes it so vulnerable, is cybersecurity in the industry is still developing.

The reason that it may be a little bit behind is due to factors including the sheer size of the industry, the length of the supply chain, the immense value of the pharmaceutical data as well as issues pertaining to small budgets and limited understanding of the importance of proactively mitigating cybersecurity risks.

That’s not to say that cybersecurity within the pharmaceutical industry is completely useless – it’s not. However, it does have a long way to go in order to be able to ensure that companies within the industry, both small and large, can be adequately protected from online attacks.

Notorious Cyberattacks in Pharma

 

In 2014, the world saw one of the first major cyberattacks on the pharmaceutical industry that targeted intellectual property and the theft of manufacturing and production information, among other things. The campaign was dubbed “Dragonfly” or “Energetic Bear”, and it targeted a plethora of small companies with 50 employees or less, marking an interesting strategic move.

A few years later, Merck & Co. suffered a ransomware attack in 2017 that affected approximately 30,000 computers, resulting in damages estimated at $870 million when all was said and done.

PharMerica Corporation released information about a data breach the company had suffered the previous year that resulted in the leaking of more than six million people. Not long after the company’s announcement, a significant amount of stolen data was leaked systematically, resulting in PharMerica Corporation facing a class action suit as a result of their inability to protect sensitive information.

The most recent victim in pharma cyberattacks seems to be Cencora who made an announcement in May that millions of people’s private information, both personal and health-related,  was leaked during an attack in February of 2024.

So far, Cencora has notified about a million people in the US of their information having been part of the breach, although they haven’t yet provided much detail on the cause of the leak.

Whether it was a result of the actions of malicious hackers or due to faults in their own security, it seems reasonable to expect that Cencora will most likely face serious backlash in the coming months.