PurFoods, which operates in the United States under the name Mom’s Meals, recently fell victim to a hacking attack. The attack affected over 1.2 million customers and employees, whose personal data was stolen.
PurFoods, or Mom’s Meals, is a medical meal delivery service that offers its services to self-pay customers and those eligible for government assistance under the Medicaid and Older Americans Act programs.
Anonymous member reveals details of attack
The company revealed that it had found traces of suspicious activity within its network on February 22 this year. At the time, its systems and files were suddenly encrypted, indicating that the company had suffered a ransomware attack. The company immediately began investigating the suspicious account behavior, hiring third-party specialists to conduct the investigation.
“The investigation determined that we suffered a cyberattack between January 16, 2023 and February 22, 2023, which included the encryption of certain files on our network,” PurFoods said in its notice. However, real signs of network problems became evident in early March. At that time, an anonymous Mom’s Meals employee revealed to the Iowa media that he hadn’t worked or been paid for a week.
The employee claimed it was an “Internet problem”, prompting rumors that the company had been the victim of a data breach. Meanwhile, PurFoods continued its investigation, which revealed that there had been a breach as early as January. Security specialists clarified the time of the breach, which occurred on January 16, 2023. The investigation also revealed which tools were probably used to steal the data that the hackers managed to locate in the network.
What information was stolen?
Further investigation in July of this year uncovered more details. For example, it confirmed that the hackers had accessed a large amount of customer and employee data.
These include dates of birth, social security numbers (for over 1% of those exposed), driver’s licenses, patient identification numbers, state identification numbers, health insurance information, financial account information, meal categories and costs, payment card data, diagnosis codes, medical record numbers, treatment information, Medicare and Medicaid information, and general health information.
The investigation further revealed that the data breach affects not only current employees, but also former employees and even independent contractors with whom the company has collaborated.
PurFoods reported the data breach in a statement to the Maine Attorney General’s office, revealing that 1,237,681 people were affected. All victims of the attack will receive free 12-month coverage of credit monitoring and identity protection services through Kroll, according to the company.
This measure is deemed necessary to protect customers, as the stolen data is highly sensitive and may enable attackers to carry out other elaborate scams, social engineering attacks, phishing attacks, etc.
Mom’s Meals customers have also been warned to remain extremely vigilant when it comes to incoming communications. Users should expect hackers or scammers to attempt some sort of direct attack via email, SMS, phone calls or possibly messaging applications.
The company said it had informed federal law enforcement authorities of the event and was cooperating fully with their investigation. It has also begun notifying affected individuals via US Mail, as of August 25 this year. The notification includes advice on how to protect yourself against identity theft and fraud, and how to access free credit monitoring and identity restoration services.
In addition, the company has taken a number of further steps to improve the security of its own network. It is reviewing existing policies and procedures, adding new ones and modifying them where necessary.