Mom’s Meals, a meal delivery service for people with chronic health conditions, has confirmed a data breach affecting more than 1.2 million individuals.
In a data breach notice filed this week with Maine’s attorney general, Mom’s Meals parent company PurFoods confirmed that the meal delivery service experienced a cyberattack between January 16 and February 22. The company said that the incident resulted in the “encryption of certain files” and that tools commonly used to steal data were found on its network, suggesting ransomware may have been the culprit.
“We can’t rule out the possibility that data was taken from one of our file servers,” the company said.
PurFoods hired an unnamed third-party incident response firm to investigate the breach and said that the review concluded on July 10. This determined that the “files at issue included personal and protected health information related to certain individuals.”
Affected individuals include those who have received Mom’s Meals packages, including Medicare, Medicaid and self-paying members without an eligible health plan or who don’t qualify for government assistance.
The data breach also impacted the company’s current and former employees, and independent contractors.
The information included customer names, Social Security numbers, driver license and state identification numbers, financial account and payment card information, medical record numbers, health information, treatment information, diagnosis codes, meal categories and costs, health insurance information and patient ID numbers.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
PurFoods said it began notifying affected individuals on August 25 — seven months after it was first compromised and more than a month after it concluded its investigation into the breach. It’s not clear why the company waited so long to tell affected customers, and PurFoods did not respond to TechCrunch’s questions.
PurFoods published a separate data breach notice on its website, which at the time of publication includes “noindex” code telling search engines to ignore the webpage, effectively preventing affected individuals from finding the breach notice in search results.
PurFoods said it was providing access to credit monitoring services for 12 months via financial and security consultancy giant Kroll to individuals whose personal information was compromised by the breach.
Kroll, however, said last week that it too was the victim of a cyberattack involving the theft of personal data belonging to failed crypto companies, including BlockFi, FTX and Genesis, which rely on Kroll for their bankruptcy proceedings. As reported by KrebsOnSecurity, Kroll said an employee’s phone number was hijacked in a SIM swapping attack that was used to gain access to Kroll’s network.
