PHI Included in Mom’s Meals Data Breach

Posted by Steve Alder

The parent company of the Mom’s Meals home delivery meal service – PurFood LLC – has published a Notice of Data Event on its website and filed a Data Breach Notification with the Maine Attorney General following a cyberattack earlier this year in which personal information relating to 1,237,681 customers, employees, and contractors is believed to have been stolen.

PurFood LLC – trading as Mom’s Meals – delivers refrigerated ready-to-eat meals nationwide to customers with special nutritional requirements. As well as supplying private customers, the company works with more than five hundred health plans, managed care organizations, and other agencies to provide access to meals for people covered by Medicare and Medicare.

According to a Notice of Data Event on the company’s website, Mom’s Meals experienced a cyberattack between January 16, 2023, and February 22, 2023, that resulted in customer, employee, and contractor data being encrypted. An investigation into the cyberattack revealed the presence of data exfiltration software that may have been used to transfer data from PurFood’s servers.

The investigation determined that the encrypted files included personal and protected health information related to certain individuals. However, there is no guaranteed data was exfiltrated, and the Notice of Data Event notes the company has not seen any evidence of personal information being misused or further disclosed as a result of the Mom’s Meals data breach.

Nonetheless, the company has filed a Data Breach Notification with the Maine Attorney General and is in the process of notifying potentially affected individuals via U.S. Mail. At the time of publication, the company’s name does not appear on the HIPAA Breach Report. However, according to the Data Breach Notification, the date the breach was “discovered” is recorded as July 10, 2023.

What Data is Believed Stolen in the Mom’s Meal Data Breach?

The data believed stolen in the Mom’s Meal data breach includes dates of birth, driver’s license numbers, account information, payment card information, health information, medical record numbers, Medicare and Medicaid identifiers, treatment information, diagnosis codes, meal categories and costs, health insurance information, Social Security numbers, and patient ID numbers.

In order to prevent a repeat of the incident, PurFood states in its breach notification letter that the company has taken a number of steps to strengthen its security network and is reviewing its existing policies and procedures to identify any additional measures and safeguards that may be necessary. It is also providing credit monitoring, fraud consultation, and identity theft restoration services for a year.

Individuals who receive a breach notification letter relating to the Mom’s Meals data breach are advised to register for the credit monitoring services provided by the company, examine any correspondence from Medicare, Medicaid, or an insurer to ensure the services mentioned have been received (and report any discrepancies), and monitor their credit report – placing a freeze on the credit report if they are concerned about being a victim of identity theft.

The post PHI Included in Mom’s Meals Data Breach appeared first on HIPAA Journal.

Study Reveals State of External Exposure Management

Posted by Steve Alder

CyCognito has published its latest State of External Exposure Management Report, which highlights the extent to which vulnerabilities affect organizations and how easy it is for hackers to exploit those vulnerabilities.

For the report, CyCognito’s researchers aggregated and analyzed 3.5 million digital assets across its customer base between June 2022 and May 2023, which includes small, medium, and large enterprises, including Fortune 500 companies.

The study found that 70% of web applications had severe security gaps, such as lacking web application firewall (WAF) protection and not using encrypted connections such as HTTPS, with 25% of web applications lacking both protections. A typical enterprise has more than 12,000 web apps such as APIs, SaaS applications, databases, and servers. The researchers found at least 30% of those web apps have more than 3,000 assets and had at least one exploitable or high-risk vulnerability.

The study confirmed the extent to which personally identifiable information (PII) is put at risk. 74% of assets containing PII were found to be exposed to at least one major exploit, and one in ten assets had at least one easily exploitable issue. While critical severity vulnerabilities are a major concern, for every easily exploitable critical vulnerability identified, there were 133 easily exploitable high, medium, or low severity issues.

As CyCognito explains in the report, the attack surface is constantly changing and its research suggests the attack surface fluctuates by as much as 10% each month. That means that over the course of a year, thousands of new assets may have been added to the network and any one of those assets could contain an exploitable vulnerability. Because the attack surface is dynamic, organizations cannot make do with mapping it just once as the map created will be out of data almost immediately.

Naturally, there is a balance to be struck, so many organizations have a biannual or quarterly mapping cadence, although such infrequent mapping could result in serious gaps in awareness and coverage. “To stay aware of risks as soon as they appear, use frequent mapping and scanning of all assets to maintain an up-to-date, comprehensive understanding of your external attack surface,” suggests CyCognito.

Attention needs to be paid to web apps, which typically account for around 22% of the attack surface. They are easy to deploy, provide access to valuable data, connect businesses with employees and customers, and can have dozens of components, each of which can be affected by security issues. Organizations should ensure that web apps are properly protected with WAF and encrypted connections, especially those that provide access to PII or e-commerce platforms.

Addressing security issues is a never-ending process. It is important to ensure that the most serious issues are prioritized and addressed first. CyCognito recommends using context about affected assets and threat actor activity to identify the most serious threats to prioritize and not to rely on CVSS scores, as there may be a far greater risk from less severe flaws, which threat actors can easily exploit.

The post Study Reveals State of External Exposure Management appeared first on HIPAA Journal.