Data Breaches

1.2 million people's health and payment information may have been stolen from Purfoods in an IT attack

The meal delivery business leaves a bad taste

Purfoods has warned over 1.2 million people that their personal and medical information, including payment card and bank account details, security codes, and some protected health information, may have been stolen from its servers earlier this year during what appears to be a ransomware infestation.

Purfoods describes itself as a health-focused food-delivery company. Its main initiative is called Mom's Meals. It collaborates with over 500 health providers in the United States, including governments and managed-care organizations, to deliver chilled meals to those on Medicare and Medicaid, as well as individuals who wish to purchase ready-to-eat entrees.

The business bragged about its collaboration on a post-hospital discharge study with Southern California's Kaiser Permanente earlier this month. The healthcare organization provided four weeks of Mom's Meals to roughly 12,000 Medicare patients who had been treated for heart failure or other acute medical illnesses at 15 Kaiser Permanente hospitals and had been released.

Given the circumstances, they were most likely fortunate. Criminals got into Purfoods' network on January 16 and may have stolen some customer information files, according to documentation submitted to the Maine Attorney General's office and a letter sent to 1,237,681 people.

 In a letter sent to its customers, Purfoods said that: 

Because the investigation also identified the presence of tools that could be used for data exfiltration, Purfoods was not able to rule out the possibility that data was taken from one of its file servers.

The company subsequently hired a third-party incident response firm to help it probe the IT security breach, and says that review concluded on July 10. 

During the course of the investigation, the analysts determined that the files at issue included personal and protected health information related to certain individuals.

Names, Social Security numbers, license/state identification numbers, banking accounts and/or payment card information combined with the security code, access code, password, or PIN for the account, medical and health information, and dates of birth are among the potentially stolen information.

Purfoods was contacted by Privacy Bastion for additional information regarding the data breach, including how the hackers gained access to the network, whether a ransom was sought, and who was behind the attack. We are still waiting to receive a response. If and when we receive a response, we will update this story.

According to Purfoods, it reported the break-in to federal law enforcement and the US Department of Health and Human Services per the Health Insurance Portability and Accountability Act (HIPAA) requirements. This US data privacy law safeguards people's medical records.

The meal-delivery company said that it is also

working to implement additional safeguards and training to its employees

Purfoods appears to be too late to stop the class-action lawsuits that will unavoidably be filed because lawyers respect a good HIPPA-protected patient information case.

Three confirmed law firms are searching for those impacted by the Purfoods leak and requesting clients to "call us as quickly as possible to understand your legal rights in reaction to the data breach."


  1. Office of the Maine Attorney General - Data Breach Notifications
Comments are closed