Kroger reports Accellion data breach affecting pharmacy records, associate HR data
Updated March 9: This incident subsequently appeared on HHS’s public breach tool as having been reported to HHS on February 19 and impacting 368,100 patients.
Brian Planalp reports:
Kroger is informing some customers and associates that a third-party software company it uses for data services recently suffered a data breach.
Kroger’s own IT systems were not affected, and no grocery store data, credit or debit card information or customer account passwords were impacted, according to the Cincinnati-based supermarket chain.
Read more on Fox19.
In its press release, Kroger says
After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.
At this time, they believe that less than 1% of customers and associates have been impacted. The customers would be the Health Services customers (patients) and Money Services customers.
The News Tribune lists potentially impacted properties:
Entities that may have been impacted include The Little Clinic, Kroger Pharmacies as well as its other family of pharmacies operated by Ralphs Grocery Company and Fred Meyer Stores, Inc. Those include Jay C Food Stores; Dillon Companies, LLC; Baker’s; City Market; Gerbes; King Soopers; Quality Food Centers; Roundy’s Supermarkets; Inc.; Copps Food Center Pharmacy; Mariano’s Metro Market; Pick N Save; Harris Teeter, LLC; Smith’s Food and Drug; Fry’s Food Stores; Healthy Options, Inc.; Postal Prescription Services; Kroger Specialty Pharmacy Holdings, and Inc. The incident also affected beneficiaries under The Kroger Co. Health and Welfare Benefit Plan, and The Kroger Co. Retiree Health and Welfare Benefit Plan.
For a list of other known Accellion clients impacted by the breach, see this post.