Kroger Will Pay $5 Million to Data Breach Victims

The pharmacy and supermarket company Kroger has offered to pay $5 million to settle lawsuits which the victims of a data breach filed because their personal data and protected health information (PHI) were exposed.

Kroger was one of the affected entities after the cyberattack on the File Transfer Appliance (FTA) of Accellion in December 2020. The FTA is a legacy software utilized to transfer files that are too big to be sent through email. Hackers took advantage of a number of zero-day vulnerabilities in the program and acquired access to the information of over 100 organizations. Although there was no ransomware used, the attack was associated with the Clop ransomware group which issued threats to post the exfiltrated information. The ransomware group sent ransom demands to individual firms to avoid the exposure of their stolen information.

Kroger was informed concerning the data breach on January 23, 2021 and got a ransom demand on February 2 from the attackers. After notifying the FBI, Kroger sent the ransom payment on February 18, 2021. The attackers gave back the stolen information the next day and gave a video showing the deletion of the stolen information.

The sensitive data of around 1% of Kroger Health and Money clients were stolen. The compromised data included names, contact details, Social Security numbers, health benefits data, prescription data, and other sensitive information. Kroger informed all impacted clients and provided them free 2-year credit monitoring and identity theft protection services. Kroger stated it had ceased utilizing the legacy Accellion FTA program and affirmed the successful retrieval of the data taken by the attackers and obtained proof that all copies of data were deleted.

A number of lawsuits were filed against Kroger and Accellion because of the data breach. Kroger lawsuits plaintiffs alleged the company did not implement proper data security measures to make sure of the safety of customer data and didn’t discover the vulnerabilities the attackers exploited.

Legal representatives for each side had agreed on a preliminary motion for the offered settlement, which was lately submitted in the United States District Court for The Northern District of California. The offered settlement will pay all 3.82 million people impacted by the breach, which include Kroger workers and clients, and settles all legal cases filed against Kroger in connection with the breach. The negotiation only settles claims against Kroger, not including claims against Accellion. No less than 15 legal cases were filed against Accellion because of the data breach.

Claimants will be eligible to receive cash payment, two-year credit monitoring services, or they could file a claim as much as $5,000 for documented damages that may be sensibly tracked to the data breach. A $5 million fund was created to pay for claims.

The settlement additionally calls for Kroger to employ major remedial steps, such as
making sure that information stolen in the attack is kept secure and deleted,
dark web tracking is done for 5 years to determine any fake uses of information stolen during the attack,
Kroger must affirm it has discontinued utilizing the Accellion FTA.

Kroger is additionally expected to boost its vendor risk management plan and perform regular audits of all software program and file transfer solutions utilized to transfer clients’ personally identifiable information.

Although the two sides gave consent to the settlement, the court has not yet approved it.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at