Mom’s Meals, a meal delivery service for people with chronic health conditions, has confirmed a data breach affecting more than 1.2 million individuals.
In a data breach notice filed this week with Maine’s attorney general, Mom’s Meals parent company PurFoods confirmed that the meal delivery service experienced a cyberattack between January 16 and February 22. The company said that the incident resulted in the “encryption of certain files” and that tools commonly used to steal data were found on its network, suggesting ransomware may have been the culprit.
“We can’t rule out the possibility that data was taken from one of our file servers,” the company said.
PurFoods hired an unnamed third-party incident response firm to investigate the breach and said that the review concluded on July 10. This determined that the “files at issue included personal and protected health information related to certain individuals.”
Affected individuals include those who have received Mom’s Meals packages, including Medicare, Medicaid and self-paying members without an eligible health plan or who don’t qualify for government assistance.
The data breach also impacted the company’s current and former employees, and independent contractors.
The information included customer names, Social Security numbers, driver license and state identification numbers, financial account and payment card information, medical record numbers, health information, treatment information, diagnosis codes, meal categories and costs, health insurance information and patient ID numbers.
PurFoods said it began notifying affected individuals on August 25 — seven months after it was first compromised and more than a month after it concluded its investigation into the breach. It’s not clear why the company waited so long to tell affected customers, and PurFoods did not respond to TechCrunch’s questions.
PurFoods published a separate data breach notice on its website, which at the time of publication includes “noindex” code telling search engines to ignore the webpage, effectively preventing affected individuals from finding the breach notice in search results.
PurFoods said it was providing access to credit monitoring services for 12 months via financial and security consultancy giant Kroll to individuals whose personal information was compromised by the breach.
Kroll, however, said last week that it too was the victim of a cyberattack involving the theft of personal data belonging to failed crypto companies, including BlockFi, FTX and Genesis, which rely on Kroll for their bankruptcy proceedings. As reported by KrebsOnSecurity, Kroll said an employee’s phone number was hijacked in a SIM swapping attack that was used to gain access to Kroll’s network.