Kroger: Mail-order pharmacy ‘improperly’ shared patient data internally

The Kroger Co. reported that its mail-order pharmacy service “improperly” shared some patient information with the company’s affiliated grocery business.

Cincinnati-based Kroger said Friday that Healthy Options Inc., dba Postal Prescription Service (PPS), a Kroger Health unit, discovered on Jan. 10 that an internal error led to some patient names and email addresses being used inadvertently to set up Kroger Co. retail grocery accounts for the impacted individuals.

Kroger noted that the improper data sharing didn’t result from or relate to a security incident and, upon learning of this incident, PPS updated its website to address the problem. Kroger said it’s also reviewing its procedures to assess changes to reduce the likelihood of such an incident from happening in the future.

The information disclosed was limited to first and last names and email addresses for patients who created an online PPS account between July 2014 and Jan. 13 of this year, when the issue was fixed, according to Kroger.

“No financial or clinical information was impacted. Kroger has not received any indication that the information was misused because of this incident,” Kroger said in a statement. “However, as a general best practice, customers are encouraged to remain vigilant and monitor their accounts for any suspicious activity and to report any suspected incidents of fraud to their financial institutions.”

Kroger couldn’t immediately be reached by Winsight Grocery Business for further details or comment. The company said letters about the data incident have been sent to affected individuals.

About two years ago, Kroger also experienced a data incident involving pharmacy patient information.

The company in February 2021 confirmed a data breach related to a vulnerability in file transfer software it used from data security and services firm Accellion Inc. Based on information from Accellion and its own investigation, Kroger estimated that about 2% of customers—from Kroger Health and Kroger Money Services—had data exposed, including certain pharmacy and money services records. Non-sensitive data, including loyalty program information for coupons and product discounts, also were affected. Current associates and some former associates, too, were notified that some human resources records were impacted. Kroger said it was informed of the incident’s effect on Jan. 23, 2021, and thereafter discontinued use of Accellion’s services.