PurFoods, which positions itself as a provider of “tailored home-delivered meals,” has reported a data breach affecting over 1.2 million people.
A class action complaint was recently filed against PurFoods (doing business as Mom’s Meals) after it was revealed that cyberattackers acquired sensitive personal and identifiable information for approximately 1.2 million users of its service.
The PurFoods notification reveals that suspicious account behaviour was first seen back in February of this year. An investigation concluded that at some point between January 16 and February 22, 2023, a cyberattack took place. Certain files in the PurFoods network were encrypted, and investigators also noticed tools present which can be used for data exfiltration. As a result, PurFoods says it “can’t rule out” the possibility that data was exfiltrated from one of its file servers.
The notice stresses that so far there has been no evidence of data being misused, which will be some measure of relief for those using the service. Even so, an abundance of caution has led to a variety of advice for those who think they may be impacted.
At this point in time, there’s no additional information with regard to the specific ransomware used or whether additional extortion tactics were deployed. The notification does state that this incident is unrelated to the MOVEit attack from a few months prior.
Who Is Affected By The Breach?
The individuals whose information was involved included clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.
What Information Was Stolen?
The data potentially at risk, which is quite significant, includes:
- Date of Birth
- Driver’s license/state identification number
- Financial account information
- Payment card information (including PIN)
- Medical record number
- Medicare and/or Medicaid Identification
- Health Information
- Treatment Information
- Diagnosis code
- Meal category and/or cost
- Health insurance information
- Patient ID number
- Social Security numbers were involved for less than 1% of the total population, most of which are internal to PurFoods.
What Is PurFoods Doing About This?
PurFoods began sending out notification letters by mail on August 25, which included specific information with regard to identity theft protection and availing of “identity restoration services and complimentary credit monitoring”. There’s also a dedicated call center line for people who may have further questions about the breach: (866) 676-4045.
PurFoods notified law enforcement of the attack and said that it was working to implement additional safeguards and employee training to prevent similar incidents in the future.
According to the Notification Letter sent, PurFoods individuals affected by the breach are being offered credit monitoring services for terms between 12 and 24 months.
Case Status: Open – Not Accepting New Clients