Health, payment info for 1.2M people feared stolen from Purfoods in IT attack

Purfoods has notified more than 1.2 million people that their personal and medical data — including payment card and bank account numbers, security codes, and some protected health information — may have been stolen from its servers during what sounds like a ransomware infection earlier this year.

Purfoods bills itself as a health-focused food-delivery biz. Its primary program is called Mom’s Meals, which works with more than 500 health providers including governments and managed-care organizations in the US to deliver refrigerated meals to people covered under Medicare and Medicaid, as well as individuals who want to buy ready-to-eat entrees.

Earlier this month, the company touted its partnership with Kaiser Permanente of Southern California on a post-hospital discharge study. The health-care org offered four weeks of Mom’s Meals to nearly 12,000 Medicare patients who had been discharged from 15 Kaiser Permanente hospitals after being treated for heart failure or other acute medical conditions.

They were probably lucky, given the timing. According to documents filed with the Maine Attorney General’s office and a notification letter mailed to 1,237,681 individuals, criminals broke into Purfoods’ network in January 16, encrypted some files containing customer information, and may have stolen others.

“Because the investigation also identified the presence of tools that could be used for data exfiltration, Purfoods was not able to rule out the possibility that data was taken from one of its file servers,” a letter to affected customers, dated August 25, stated [PDF]. 

The company subsequently hired a third-party incident response firm to help it probe the IT security breach, and says that review concluded on July 10. During the course of the investigation, the analysts “determined that the files at issue included personal and protected health information related to certain individuals.”

This potentially pilfered information includes names, Social Security numbers, driver’s license/state identification numbers, financial account and/or payment card information in combination with security code, access code, password or PIN for the account, medical information, health information, and date of birth. 

The Register reached out to Purfoods for more details about the data breach, including how the criminals accessed the network, whether they demanded a ransom, and who was responsible for the attack, and we’ve yet to receive a response. We will update this story if and when we hear back.

Purfoods says it notified federal law enforcement about the break-in, as well as the US Department of Health and Human Services, as is required by the Health Insurance Portability and Accountability Act (HIPAA) — the US data privacy law that protects individuals’ medical records.

The meal-delivery outfit said it’s also “working to implement additional safeguards and training to its employees,” and is providing free credit monitoring to all affected individuals for 12 months through Kroll.  

Although it’s questionable how much peace of mind this will give potentially compromised Purfoods’ customers considering that a Kroll employee was recently the victim of a SIM swapping attack in which crooks accessed personal info belonging to bankruptcy claimants in cases involving FTX, BlockFi, and Genesis.

The health-food biz is also providing people with info on how to better protect against identity theft and fraud, it says.

This includes “information on how to place a fraud alert and security freeze on one’s credit file, the contact details for the national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.”

While this may be an attempt to hold off the class-action lawsuits that are bound to follow — lawyers love a good HIPPA-protected patient info case — it looks like Purfoods is already too late.

Our very unscientific survey (read: we Googled it) uncovered three separate law firms fishing for people affected by the Purfoods breach and urging customers to “contact us as soon as possible to understand your legal rights in response to the data breach.” ®

READ MORE HERE