·  Legal News, Analysis, & Commentary

Featured Article

Kroger Co. Announces Pharmacy Customer Data was Compromised in Recent Hack

— March 5, 2021

Kroger Co. recently announced it was a victim of a data hack that may have compromised sensitive information belonging to thousands of its customers.

Kroger Co. recently announced the company was the victim of a large data hack that compromised the sensitive personal data of “some of its pharmacy and clinic customers.” Social security numbers were among some of the personal data that was compromised “in the hack of a third-party vendor’s file-transfer service.

A black-clad figure faces away from the camera. In the background, the word HACKED is spelled out in red letters against a backdrop of black ones and zeroes.
Public domain image courtesy of CC0

Earlier this year, the grocery store chain, which is located in Cincinnati, said “it believes less than 1% of its customers were affected — specifically some using its Health and Money Services — as well as some current and former employees because a number of personnel records were apparently viewed.” For now, the company is notifying anyone that may have been impacted and plans to offer free credit monitoring.

The company added that the “breach did not affect Kroger stores’ IT systems or grocery store systems or data” and noted there is no indication “of fraud involving accessed personal data.”

Currently, there are about 2,750 Kroger grocery stores and 2,200 pharmacies across the country. When asked about the data breach, a spokesperson for the company said the hacked information belonging to Kroger pharmacy patients could include “names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers,” and perhaps even information related to patient health insurance, medical history, and prescriptions.

Under federal law, companies and organizations that handle personal medical information are required to notify the Department of Health and Human Services when a data breach occurs. When did the data hack happen, though? How did it happen? Well, according to the company, Kroger said it was “was among victims of the December hack of a file-transfer product called FTA developed by Accellion and that it was notified of the incident on Jan. 23, when it discontinued use of Accellion’s services.” Companies like Kroger use the file-transfer product to “share large amounts of data and hefty email attachments.”

Accellion is a large, California-based company that has more than 3,000 customers across the globe. When asked about the breach, the company said the “affected product was 20 years old and nearing the end of its life.” It added that it completed patching up all known FTA vulnerabilities on February 1.

Kroger wasn’t the only company that suffered a breach. Other companies and organizations include Washington State’s auditor, the University of Colorado, the Reserve Bank of New Zealand, and Jones Day, a law firm. Former President Donald Trump is one of Day’s clients, but none of the data compromised in the hack reportedly belonged to him.


Kroger: Some pharmacy customer data impacted in vendor hack

Fred Meyer, QFC parent Kroger says pharmacy customer data impacted in vendor hack

Join the conversation!