HIPAA Breach Notification Letter Sent to 82,466 Patients Due to Improperly Shared Data

According to the U.S. Department of Health and Human Services breach portal, the mail-order pharmacy Healthy Options dba Kroger Postal Prescription Services (PPS) reported a breach of information which affected 82,466 patients. Kroger’s March 10, 2023 press release described the incident as “an internal error” which caused patient names and email addresses affiliated with Kroger PPS to be “improperly shared with its affiliated grocery business”.

This breach comes two years after the Accellion incident which also affected Kroger. Accellion is a company which provides secure third-party data file transfer services to businesses, one of which was Kroger. Their services were used to send human resources data, pharmacy patient information, clinic patient information, and money services records through secure file transfers. Kroger’s internal review indicated the Kroger systems were not directly accessed, and that the information was obtained only through Accellion. Kroger cut their ties with Accellion and sent out HIPAA breach notification letters to the affected individuals.

As these two incidents illustrate, breaches can happen—sometimes they are malicious in nature and sometimes it is due to poor training or lack of appropriate safeguards. PAAS National® analysts suggest regularly evaluating your pharmacy’s HIPAA compliance program and implementation to identify deficiencies so improvements can be made in a timely manner. If you are not sure where to begin or what a “top of the line” HIPAA program looks like, just contact us (608) 873-1342 for a virtual overview of the PAAS National® Fraud, Waste and Abuse and HIPAA Compliance Program. We are here to guide you through compliance – get started today.

Sara Hathaway, PharmD