The Cincinnati-based grocery chain is offering free credit monitoring to anyone affected by the breach.
Information accessed included the following data, according to Cincinnati.com:
— Patient names
— Email addresses
— Phone numbers
— Home addresses
— Dates of birth
— Social Security numbers
— Information used to process insurance claims
— Prescription information such as prescription number, prescribing doctor, medication names and dates, medical history, as well as certain clinical services, such as whether the patient was ordered a flu test.
Kroger said it believes less than 1% of its customers were affected — specifically some using its Health and Money Services — as well as some current and former employees because a number of personnel records were apparently viewed.
The company, which has 2,750 grocery retail stores and 2,200 pharmacies nationwide, said Sunday in response to questions from The Associated Press that an investigation into the scope of the hack was ongoing.
Federal law requires organizations that handle personal health-care information to inform the Department of Health and Human Services of any data breaches.
Kroger said it was among victims of the December hack of a file transfer product called FTA developed by Accellion, a California-based company, and that it was notified of the incident Jan. 23, when it discontinued use of Accellion’s services. Companies use the file transfer product to share large amounts of data and hefty email attachments.
An unauthorized person gained access to Accellion to securely transfer files, Cincinnati.com reported.
The unknown person accessed certain Kroger files by exploiting a vulnerability in the file transfer service, according to the Kroger release.
Kroger said the incident affected beneficiaries under The Kroger Co. Health and Welfare Benefit Plan, and The Kroger Co. Retiree Health and Welfare Benefit Plan, according to Cincinnati.com.
Potentially affected customers are in the process of being notified by Kroger.
The data breach potentially affects The Little Clinic, Kroger Pharmacies as well as its other family of pharmacies operated by Ralphs Grocery Company and Fred Meyer Stores Inc., Cincinnati.com reported.
The affiliated pharmacies possibly affected also include Jay C Food Stores, Dillon Companies LLC, Baker’s, City Market, Gerbes, King Soopers, Quality Food Centers, Roundy’s Supermarkets Inc., Copps Food Center Pharmacy, Mariano’s Metro Market, Pick N Save, Harris Teeter LLC, Smith’s Food and Drug, Fry’s Food Stores, Healthy Options Inc., Postal Prescription Services, Kroger Specialty Pharmacy Holdings and Inc.
Accellion has more than 3,000 customers worldwide. It has said the affected product was 20 years old and nearing the end of its life. The company said Feb. 1 that it had patched all known FTA vulnerabilities.
Other Accellion customers affected by the hack include the University of Colorado, Washington State’s auditor, Australia’s financial regulator, the Reserve Bank of New Zealand and the prominent U.S. law firm Jones Day.
For Washington State’s auditor, the hack was particularly serious. Exposed were files on 1.6 million claims obtained in its investigation of massive unemployment fraud last year.
In the case of Day, cybercriminals seeking to extort the law firm dumped an estimated 85 gigabytes of data online they claimed to have stolen.
Former President Donald Trump is among Day’s clients, but the criminals told the AP via email that none of the data was related to him. The AP reached out to the criminals with questions via email on the dark website where they posted documents stolen from the law firm.
It is not known if the criminals extorting Day were also responsible for the Accellion hack.
The Associated Press contributed to this report.