Cyber Incident Victim: Walmart Inc.

On February 16, 2021, Walmart was notified by one of its suppliers that a third-party data hosting service utilized by that supplier had been compromised on January 20, 2021. An unauthorized party gained access to the supplier’s service and exfiltrated records containing information pertaining to a limited number of Walmart pharmacy patients. Walmart confirmed its internal systems were not breached during this incident but initiated an immediate investigation to assess the scope of data exposure through the supplier. The investigation determined that compromised records potentially included patient names, addresses, dates of birth, telephone numbers, medication details such as drug names and strengths, prescription numbers, prescriber names, and prescription fill dates. A minimal quantity of health insurance subscriber identification numbers was also affected.

Walmart terminated the supplier’s access to the compromised hosting service upon discovery and launched a review of the supplier’s security protocols. The company issued individualized notifications to affected pharmacy patients, providing a dedicated call center for inquiries. Walmart reiterated its commitment to safeguarding patient information and advised vigilance regarding explanations of benefits and unsolicited requests for personal or financial data. The incident’s origin was confined to the supplier’s infrastructure, with no evidence linking it to Walmart’s operational systems. Walmart did not publicly confirm or deny potential connections to contemporaneous breaches involving Accellion’s file-transfer appliances when queried by media outlets.