CINCINNATI – The Kroger Co. Family of Companies is providing notice that customers of its pharmacies and The Little Clinic may have been impacted by a data security incident affecting Accellion, a software company used by Kroger and many other companies for secure file transfers.

Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service. After being informed of the incident, Kroger discontinued use of Accellion’s services and initiated its own forensic investigation to review the potential scope and impact.

Entities that may have been impacted include The Little Clinic, Kroger Pharmacies, as well as its other family of pharmacies operated by Ralphs Grocery Company and Fred Meyer Stores Inc. These also include King Soopers (there is one in Cheyenne); Jay C Food Stores; Dillon Companies, LLC; Baker’s; City Market; Gerbes; Quality Food Centers; Roundy’s Supermarkets, Inc.; Copps Food Center Pharmacy; Mariano’s Metro Market; Pick-N-Save; Harris Teeter, LLC; Smith’s Food and Drug; Fry’s Food Stores; Healthy Options, Inc.; Postal Prescription Services; Kroger Specialty harmacy Holdings, and Inc .

This incident also impacted beneficiaries under The Kroger Co. Health and Welfare Benefit Plan, and The Kroger Co. Retiree Health and Welfare Benefit Plan.

While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution, Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them, according to a news release.

The incident was isolated to Accellion’s services and did not affect the Kroger Family of Companies’ IT systems or any grocery store systems or data. No credit card, debit card or digital wallet information or customer account passwords were affected, according to the release.

However, the Accellion software was used for secure file transfers of certain patient pharmacy and clinic records. Kroger is in the process of contacting potentially impacted pharmacy and clinic customers to inform them of the incident.{span class=”print_trim”}

The investigation into the scope of the incident is ongoing. However, it appears affected patient information may include all or a subset of the following: certain names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers, information to process insurance claims, prescription information such as prescription number, prescribing doctor, medication names and dates, medical history, as well as certain clinical services, such as whether the patient was ordered a flu test.

Affected customers will receive a notice with contact information for any questions, and instructions on how to enroll in credit monitoring.

More information is available at

comments powered by Disqus