82K Kroger Customers Impacted By Healthcare Data Breach

March 23, 2023 - Postal Prescription Services (PPS), part of Kroger, notified more than 82,000 Kroger customers of a data breach that stemmed from an internal error resulting in improper sharing of patient names and email addresses. PPS is a full-service, mail-order pharmacy based in Portland, Oregon.

The names and email addresses were used to create Kroger grocery accounts, the notice explained. Patients who created an online PPS account between July 2014 and January 13, 2023, were impacted by the internal error.

No clinical or financial information was involved in the breach, but PPS reported the incident to HHS as having impacted 82,466 individuals in total. PPS said that the incident was “not caused by or related to a security incident,” though it did not specify the nature of the internal error that caused the breach.

“Upon learning of this incident, PPS updated its website to address this problem,” the notice stated.

“Kroger is also reviewing its procedures to evaluate changes to reduce the likelihood of this type of incident from occurring in the future.”

PPS directed patients with remaining questions to contact Kroger’s HIPAA Privacy Office.

Video Software Company Reports Healthcare Data Breach

Software company SundaySky reported a healthcare data breach to HHS that impacted more than 37,000 individuals. SundaySky offers a platform that allows businesses to develop personalized videos for marketing purposes and works with 4 of the top 5 health insurers, its website states.

“In connection with the services it provides, SundaySky received certain information from its customers, including certain health plan information between December 2018 and January 2019,” SundaySky explained.

In January 2023, SundaySky detected unauthorized activity within its cloud-based environment. The company later learned that an unauthorized actor had copied certain files from its environment between January 6 and January 8.

The information involved in the breach included names, email addresses, copay information, and Healthcare Savings Account (HSA) effective date and deductible information.

SundaySky notified authorities of the incident and said it was in the process of implementing additional safeguards to reduce the likelihood of a similar event.

Blue Cross Blue Shield of Arizona Members Impacted by US Wellness Vendor Breach

US Wellness, a company that specializes in wellness programs consisting of biometric screening and incentive management, notified an undisclosed number of Blue Cross Blue Shield of Arizona (BCBSAZ) members of a third-party data breach that impacted member data.

On January 31, a vendor tied to US Wellness experienced a security incident. US Wellness immediately took steps to secure its systems and later learned that certain BCBSAZ member protected health information (PHI) may have been impacted.

The incident potentially impacted names, addresses, member ID numbers, dates of birth, where a service originated, and addresses of service locations. US Wellness said it had no evidence that any information had been misused.

“The privacy and protection of personal and protected health information is a top priority for US Wellness, which deeply regrets any inconvenience or concern this incident may cause,” the notice concluded.

IL Addiction Treatment Center Discloses Breach

Illinois-based Top of the World Ranch Treatment Center disclosed a healthcare data breach that stemmed from unauthorized access to one business email account in November 2022.

The unauthorized party only had access to the email account for several hours. However, the email account contained names, patient identification numbers, health insurance information, provider names, Social Security numbers, and diagnosis and treatment information.

Top of the World was unable to determine whether any information had been acquired by the bad actor, but currently has no evidence of misuse of data.

“In response to this incident, Top of the World reset the password to the affected email account and terminated all outside access to the account; reviewed existing policies and upgraded the security of the email account; and implemented a plan to reinforce employee security awareness training,” the organization stated.