An organisation that provides home delivery meals has revealed that around 1.2 million people’s personal data may be at risk, after the company suffered a ransomware attack earlier in the year.

PurFoods, which offers up a service called Mom’s Meals, helps to provide meals for folks in a variety of different personal situations. From its site:

We work with over 500 health plans, managed care organisations, governments, and agencies to provide access to meals for people covered under Medicare and Medicaid, as well as the opportunity for individuals to order meals on their own.

The PurFoods notification reveals that suspicious account behaviour was first seen back in February of this year. An investigation concluded that at some point between January 16 and February 22, 2023, a cyberattack took place. Certain files in the PurFoods network were encrypted, and investigators also noticed tools present which can be used for data exfiltration. As a result, PurFoods says it “can’t rule out” the possibility that data was exfiltrated from one of its file servers.

The notice stresses that so far there has been no evidence of data being misused, which will be some measure of relief for those using the service. Even so, an abundance of caution has led to a variety of advice for those who think they may be impacted.

Here’s who could be affected by the breach according to PurFoods:

The individuals whose information was involved included clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.

The data potentially at risk, which is quite significant, includes:

• Date of birth
• Driver’s license/state identification number
• Financial account information
• Payment card information
• Medical record number
• Medicare and/or Medicaid identification
• Health information
• Treatment information
• Diagnosis code
• Meal category and/or cost
• Health insurance information
• Patient ID number
• Social Security numbers were involved for less than 1% of the total population, most of which are internal to PurFoods.

PurFoods began sending out notification letters by mail on August 25, which included specific information with regard to identity theft protection and availing of “identity restoration services and complimentary credit monitoring”. There’s also a dedicated call center line for people who may have further questions about the breach: (866) 676-4045.

At this point in time, there’s no additional information with regard to the specific ransomware used or whether additional extortion tactics were deployed. The notification does state that this incident is unrelated to the MOVEit attack from a few months prior. 

This could potentially prove to be costly for the food provider. As The Register notes, many search results for this breach lead to law firms on the lookout for potential clients impacted by the ransomware attack. We may have to wait a while to see if any data actually does leak online, or if PurFoods reveals any more information about the attackers behind the compromise. For now, if you receive a notification letter we suggest keeping a close eye on your finances, watch out for targeted phishing, and call the PurFoods helpline if you are concerned.