Meal Delivery Service Hit by Multiple Lawsuits Concerning Data Breach

PurFoods, the parent company of Mom’s Meals, which delivers ready-to-eat meals across the US, faced a new lawsuit in November regarding a cyberattack between January 16 and February 22, 2023. Filed in South Carolina, this lawsuit joins other similar suits accusing the company of negligence leading to the breach of nearly 1.2 million individuals’ personal identifiable information (PII). A key aspect of this case is the inclusion of health information in the compromised data, which brings the incident under HIPAA jurisdiction. The company launched an investigation after detecting suspicious account activity a month after the attack.

Mom’s Meals provided food delivery service to Medicare, Medicaid, and self-pay individuals with chronic health conditions. Customers provided their health information to the company so that meals could be tailored to meet their nutritional needs. The exposed PII encompasses a range of sensitive data, including driver’s license and state ID numbers, financial and payment card details, medical record numbers, health insurance, and treatment information. Additionally, the social security numbers (SSN) of current and former employees were also compromised in the breach.

An initial suit against PurFoods was filed on September 13, 2023 in Iowa. Like the other suits, the class action contends that the company, covered under HIPAA, failed to promptly notify individuals affected by the Mom’s Meals data breach within HIPAA’s required disclosure window of 60 days. The company reportedly took over seven months post-access of their network and six months after discovering suspicious anomalies in account activity. Furthermore, PurFoods posted a breach notice on its website, but it was configured to be unsearchable by engines, suggesting an attempt to conceal or suppress breach details. The plaintiffs also accuse PurFoods of neglecting fundamental data security practices and failing to adequately safeguard the sensitive information of those affected.

Though not confirmed, indications are that PurFoods was the victim of a ransomware attack. Ransomware presents a low barrier of entry for malicious actors thanks to the “Ransomware-as-a-Service” kits that are available on the Dark Web. Even those with minimal technical skills can buy ransomware at a low cost, sharing profits from any ransoms. While paying ransom is undesirable, remediation costs often exceed the ransom amount, including expenses for security experts, overtime, legal fees, security upgrades, litigation, and lost revenue. Downtime halts income, and severe attacks can even affect stock prices and cause lasting reputational damage.

Incidents like the one involving Mom’s Meals shows that swiftly identifying a material cyber incident and promptly notifying affected individuals is essential for compliance regulations. This underscores the need for rapid recovery and a well-rehearsed incident response plan (IRP). An effective response extends beyond just having advanced security tools; it demands a cohesive and coordinated effort from the entire team. Conducting tabletop exercises is also invaluable, as they reveal potential vulnerabilities in an organization’s security strategy and allow team members to practice their roles in simulated attack scenarios. For more information on developing an incident response plan, feel free to reach out to HALOCK Security Labs and let us educate you on our five-point incident response process plan that we can customize to the specific needs of your organization.