PurFoods Sued Over 1.2 Million-Record Mom’s Meal Data Breach
PurFoods LLC is being sued over a cyberattack that exposed the personally identifiable information (PII) and protected health information (PHI) of 1,237,681 individuals who used the services of its subsidiary, Mom’s Meals.
Through Mom’s Meals, PurFoods provides a food delivery service for Medicare, Medicaid, and self-pay individuals with chronic health conditions. According to the Mom’s Meals data breach notifications, the company experienced a cyberattack that saw unauthorized individuals access its network between January 16 and February 22, 2023, and deploy software (ransomware) to encrypt files on the network. While data theft was not confirmed, the possibility of data exfiltration could not be ruled out.
The review of the affected files was completed on July 10, 2023, and confirmed that names, Social Security numbers, driver’s license numbers, state identification numbers, financial account and payment card information, medical record numbers, health information, treatment information, diagnosis codes, meal categories and costs, health insurance information and patient ID numbers had been exposed. Affected individuals were notified on August 25, 2023, and were offered 12 months of complimentary credit monitoring services.
In September 2023, a lawsuit – Logan Aldridge v. PurFoods LLC dba Mom’s Meals – was filed in the U.S. District Court for the Southern District of Iowa on behalf of plaintiff Logan Aldridge and similarly situated individuals who had their PII and PHI compromised in the incident. The lawsuit alleges PurFoods failed to properly secure its network which resulted in a massive data breach that affected more than 1.2 million individuals, and then unnecessarily delayed sending notification letters about the data breach, which were not received by the affected individuals until more than 7 months after its network was breached and more than 6 months after the data breach was discovered. While PurFoods uploaded a substitute breach notice to its website, the page was set to “No Index”, which prevented it from being read by search engines and included in the search engine listings, indicating PurFoods was actively attempting to conceal the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the plaintiff and class members’ PII/PHI is now in the hands of a ransomware actor who intends to sell or make the data available on the dark web and the plaintiff and class members face an imminent and ongoing risk of identity theft and fraud. The lawsuit alleges negligence, negligence per se, breach of implied contract and unjust enrichment, breach of confidence, bailment, and breach of implied covenant of good faith and fair dealing and seeks class-action status, a jury trial, declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.
The plaintiff and class members are represented by Timothy M. Hansen of the law firm Hansen Reynolds LLC and Nicholas J. Mauro of the Carney & Appleby Law Firm.
