US food delivery service PurFoods discloses data breach

PurFoods, a U.S. producer of medically-tailored home-delivered meals, has disclosed a data breach affecting over 1.2 million people.

According to a report filed to regulators last week, hackers might have accessed customers' personal, financial and medical information, including names, financial account and payment card numbers, Social Security numbers, health insurance member identification numbers, as well as account security codes and passwords.

The company said that “it has seen no evidence that any personal information was misused or further disclosed as a result of the cyberattack.”

PurFoods partners with health plans, managed care organizations, and government agencies to offer meals to people enrolled in Medicare and Medicaid health programs, as well as those who pay for the service themselves. PurFoods customers include seniors, high-risk patients and people who are permanently or temporarily disabled.

The incident occurred in January but was not discovered until February, the company said. Customers were notified late last week that their data had been compromised.PurFoods also notified federal law enforcement about the incident.

During the investigation, which is still ongoing, the company found out that certain files in its network were encrypted, according to a notice sent to affected customers in the state of Maine. It also identified the presence of tools that could be used for data exfiltration, adding that it’s possible that data was stolen from one of its file servers.

The company said it provided free one-year access to credit monitoring services for individuals whose personal information was potentially affected. “We are sorry for any inconvenience this incident may cause,” the letter to customers said.

To prevent similar attacks in the future, “PurFoods is also working to implement additional safeguards and training to its employees.” The company did not immediately respond to a request for comment.