PurFoods, IBM and Johnson & Johnson Health Care Systems Faces Lawsuit Over Data Breaches

PurFoods Faces Lawsuit Due to 1.2 Million-Record Mom’s Meal Data Breach

PurFoods LLC is facing a lawsuit due to a cyberattack that compromised the protected health information (PHI) and personally identifiable information (PII) of 1,237,681 persons who received services from Mom’s Meals, its subsidiary.

Mom’s Meals is PurFoods’ channel to provide a food delivery service for Medicaid, Medicare, and self-pay persons who have chronic health problems. Based on the Mom’s Meals data breach notices, the company encountered a cyberattack that allowed unauthorized persons to access its system from January 16 to February 22, 2023, and use ransomware for file encryption. Although there is no confirmed data theft, the likelihood of data exfiltration cannot be eliminated.

The analysis of the impacted files was done on July 10, 2023, and affirmed the exposure of names, driver’s license numbers, state ID numbers, Social Security numbers, financial account and payment card details, medical record numbers, medical data, treatment details, diagnosis codes, meal types and costs, medical insurance data, and patient ID numbers. Impacted persons were informed on August 25, 2023, and were provided a year of free credit monitoring services.

In September 2023, the Logan Aldridge v. PurFoods LLC dba Mom’s Meals lawsuit was filed in the U.S. District Court for the Southern District of Iowa representing plaintiff Logan Aldridge and likewise situated people whose PII and PHI were exposed in the incident. The lawsuit claims PurFoods was unable to appropriately protect its system which led to a massive data breach that impacted over 1.2 million people, and then unnecessarily delayed the sending of breach notification letters, which the impacted individuals received over 7 months after the network breach and after over 6 months from discovering the data breach. Although PurFoods published a substitute breach notice on its online site, the page was not indexed, so the search engines could not read the page and did not include it in the search engine listings, suggesting that PurFoods was making an effort to hide the data breach.

The lawsuit claims the PII/PHI of the plaintiff and class members are currently in the possession of a ransomware actor who plans to sell or leak the information on the dark web. The plaintiff and class members have an impending risk of identity theft and fraud to deal with. The lawsuit claims negligence, negligence per se, unjust enrichment, breach of implied contract, breach of confidence, bailment, and breach of implied covenant of good faith and fair dealing and wants a jury trial, class-action status, declaratory relief, monetary damages, injunctive relief, statutory damages, equitable relief, and punitive damages.

Attorney Timothy M. Hansen of the law agency Hansen Reynolds LLC and Attorney Nicholas J. Mauro of the Carney & Appleby Law Agency are representing the plaintiff and class members.

IBM and Johnson & Johnson Health Care Systems Face Lawsuit for the August 2023 Data Breach

IBM Corp. and Johnson & Johnson Health Care Systems Inc. are facing a lawsuit in association with a data breach in August 2023 that compromised the PHI of thousands of individuals who used the patient assistance program of Janssen CarePath.

IBM is Johnson & Johnson’s business associate and controls the software and database that runs the Janssen CarePath platform. After receiving notification concerning a technical problem inside the platform that may be exploited to acquire access to sensitive information, IBM investigated and found out there was unauthorized access that happened on August 2, 2023. The data viewed by an unauthorized third party contained names, contact details, birth dates, medical insurance data, prescription drugs, and medical conditions. Impacted persons were provided free credit monitoring services for one year. It is presently uncertain how many individuals were impacted. In 2022, 1.16 million patients used the patient assistance program of Janssen CarePath.

On September 22, 2023, plaintiff Elaine Malinowski and likewise situated persons whose data were exposed filed a class action lawsuit in the US District Court for the Southern District of New York. The lawsuit claims IBM Corp. and Johnson & Johnson Health Care Systems did not appropriately protect the PHI of individuals who used the patient assistance program of Janssen CarePath, and that those failures are a violation of the HIPAA Privacy and Security Rules. There’s no private cause of action in HIPAA, meaning people cannot file a lawsuit against HIPAA-regulated entities or their business associates for HIPAA Rules violations. In this instance, the lawsuit doesn’t file claims for direct HIPAA violations but rather charges the defendants “with different legal violations only predicated upon the responsibilities established in HIPAA.

The lawsuit likewise questions the long time it took for the defendants to send breach notification letters. The breach was discovered on August 2, 2023, yet breach notification letters were not sent until September 15, 2023. The notification letters were mailed within the 60 days permitted by the HIPAA Breach Notification Rule. The lawsuit critiques the information in the letters, which made it hard for the plaintiff and class members to find the location of their PHI, those who used it, and for what it will probably be used.

The lawsuit states the plaintiff has needed to routinely keep track of her credit and identity for fraudulent activity because of the data breach and alleges the breach made her stressed because her personal and medical data is compromised. The lawsuit claims negligence per se, negligence for failing to appropriately secure information through procedures like encryption, unjust enrichment, breach of confidence, breach of the implied covenant of good faith and fair dealing, breach of implied contract, and breach of fiduciary duty.

The lawsuit wants a jury trial, class action certification, awards of nominal, actual, and consequential damages, and equitable relief to forbid the defendants from undertaking more wrongful conduct. The lawsuit wants a court order demanding that the defendants employ extra safety measures like encryption of all PHI/PII, to secure information with firewalls, patient information not to be kept in online hosting databases, and a threat management system to be applied and for penetration tests to be performed on a regular basis to spot vulnerabilities ahead of any exploitation. Jared R. Cooper, Esq of Robinson Yablon Cooper & Bonfante, LLP, and Daniel Srourian, Esq. of the Srourian Law Firm, P.C represented the plaintiff and class members.