On March 10, Kroger’s Healthy Options program, Postal Prescription Services (PPS), issued a statement about a privacy breach.
According to their statement, some PPS patients’ names and email addresses were erroneously shared with the grocery side of Kroger’s business due to an internal error.
Kroger doesn’t state when the breach first occurred, but they discovered the error on January 10. Letters were mailed to those affected on or about March 10, and on March 15, Kroger notified HHS that 82,466 patients were affected.
While employees on one side of a business knowing someone is a prescription service patient in the other side of the business is a privacy issue, it’s not the type of incident likely to result in any kind of misuse or serious problems.
What is confusing in their disclosure, however, is their statement that the incident was “limited to the patient’s first name, last name and email address for patients who created an online PPS account from July 2014 through January 13, 2023, which is when this issue was corrected.” Was this improper sharing going on for 9 years before it was discovered, or was it only a recent problem but one that also affected patients who had used their website as early as 2014?
DataBreaches sent an email inquiry asking for clarification on that but has yet to receive any reply.