PHI Included in Mom’s Meals Data Breach
The parent company of the Mom’s Meals home delivery meal service – PurFood LLC – has published a Notice of Data Event on its website and filed a Data Breach Notification with the Maine Attorney General following a cyberattack earlier this year in which personal information relating to 1,237,681 customers, employees, and contractors is believed to have been stolen, and according to the HHS’ Office for Civil Rights breach portal, the protected health information of up to 1,229,233 individuals was involved.
PurFood LLC – trading as Mom’s Meals – delivers refrigerated ready-to-eat meals nationwide to customers with special nutritional requirements. As well as supplying private customers, the company works with more than five hundred health plans, managed care organizations, and other agencies to provide access to meals for people covered by Medicare and Medicare.
According to a Notice of Data Event on the company’s website, Mom’s Meals experienced a cyberattack between January 16, 2023, and February 22, 2023, that resulted in customer, employee, and contractor data being encrypted. An investigation into the cyberattack revealed the presence of data exfiltration software that may have been used to transfer data from PurFood’s servers.
The investigation determined that the encrypted files included personal and protected health information related to certain individuals. However, there is no guaranteed data was exfiltrated, and the Notice of Data Event notes the company has not seen any evidence of personal information being misused or further disclosed as a result of the Mom’s Meals data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Nonetheless, the company has filed a Data Breach Notification with the Maine Attorney General and is in the process of notifying potentially affected individuals via U.S. Mail. At the time of publication, the company’s name does not appear on the HIPAA Breach Report. However, according to the Data Breach Notification, the date the breach was “discovered” is recorded as July 10, 2023.
What Data is Believed Stolen in the Mom’s Meal Data Breach?
The data believed stolen in the Mom’s Meal data breach includes dates of birth, driver’s license numbers, account information, payment card information, health information, medical record numbers, Medicare and Medicaid identifiers, treatment information, diagnosis codes, meal categories and costs, health insurance information, Social Security numbers, and patient ID numbers.
In order to prevent a repeat of the incident, PurFood states in its breach notification letter that the company has taken a number of steps to strengthen its security network and is reviewing its existing policies and procedures to identify any additional measures and safeguards that may be necessary. It is also providing credit monitoring, fraud consultation, and identity theft restoration services for a year.
Individuals who receive a breach notification letter relating to the Mom’s Meals data breach are advised to register for the credit monitoring services provided by the company, examine any correspondence from Medicare, Medicaid, or an insurer to ensure the services mentioned have been received (and report any discrepancies), and monitor their credit report – placing a freeze on the credit report if they are concerned about being a victim of identity theft.