Mom’s Meals Facing Class Action Over 2023 Data Breach Affecting 1.2M People [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

The company behind Mom’s Meals faces a proposed class action over a data breach that reportedly occurred between January 16 and February 22, 2023.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 57-page case against PurFoods LLC says that although the meal delivery service has a legal obligation to keep consumers’ private data secure from unauthorized access, the company negligently failed to maintain adequate cybersecurity measures, resulting in the exposure of the personal information of 1,237,681 individuals.

According to the filing, Mom’s Meals works with health plans, managed care organizations, governments and other agencies to deliver ready-to-eat entrees to individuals with Medicare and Medicaid. Data compromised in the cyberattack included consumers’ names, financial account and payment card information, medical record numbers, health and treatment information, diagnosis codes, meal categories and cost, health insurance information and patient ID numbers, the lawsuit claims.

Mom’s Meals’ online notice adds that the incident may have exposed consumers’ dates of birth, driver’s license or state identification numbers, Medicare and/or Medicaid identification, and, supposedly in less than one percent of cases, Social Security numbers.

The complaint explains that the breach impacted customers who’ve received Mom’s Meals packages, including Medicare, Medicaid and self-paying members without an eligible health plan or who do not qualify for government assistance. The incident also involved data belonging to current and former employees and independent contractors, the suit notes.

“As a result of PurFoods’s inadequate security and breach of their duties and obligations, Plaintiff’s and Class Members’ Private Information was accessed by third-party ransomware attackers who have the intent to take that data and to sell it on the dark web, among other things,” the suit says, stressing that data breach victims now face an “imminent and ongoing” risk of identity theft and fraud.

The case further alleges that the company has been neither “forthcoming nor expedient” in its notification of victims, who remained unaware that their private data had been exposed for over seven months after Mom’s Meals’ network was accessed and over six months after the company says it became aware of “suspicious account behavior” on February 22.

PurFoods’ August 25 notice letter states that it immediately launched an investigation that didn’t conclude until July 10.

“Despite the fact that PurFoods allegedly conducted a five-month investigation, it has not revealed most of the findings of the investigation it commissioned,” the complaint says. Per the filing, the company’s letter fails to inform victims when or how the unauthorized actor first gained access to its systems, what specific information was impacted and whether the accessed data has been or will be misused by hackers.

The filing also accuses Mom’s Meals of “actively concealing or—at least—attempting to suppress” information related to the data breach. Citing an August 2023 TechCrunch article, the complaint alleges that PurFoods had included “noindex” code on its online notice of the incident, effectively preventing affected individuals from finding the webpage in their search engine results.

The lawsuit looks to represent anyone in the United States whose private information was compromised in the Mom’s Meals data breach by unauthorized persons, including anyone who was notified of the incident by PurFoods.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.