Your Patient Advisor by Captify started notifying people in mid-December of a security breach that occurred in 2019 and continued for years.
Captify Health (“Your Patient Advisor”) is an online retailer of colonoscopy preparation kits. In March of 2021, they were contacted about the fraudulent use of consumer credit cards potentially related to their payment card environment.
For reasons they do not explain, their investigation did not conclude until mid-October 2022, by which time they concluded that malicious code had been injected into their payment portal in May of 2019 and had continued to exfiltrate data until April 20, 2022.
Impacted information may have included the full name, address, date of birth, payment card number, expiration date, and security code of those purchasing the preparation kits in their online store.
A number of sites reporting on this incident have reported that Your Patient Advisor is a business associate under HIPAA but does not yet seem to have reported the breach to HHS. Those sites, which DataBreaches is not naming, are in error. HIPAA is not implicated in this particular incident as no PHI was involved. Their attorney confirmed to DataBreaches that they are a business associate in other contexts and activities, but this incident did not involve PHI.
Although Captify may not have OCR to answer to about how they failed to detect the malware for years, even after being alerted to a problem, DataBreaches suspects that they may have a problem with PCI DSS compliance and possible state or industry regulators.
According to their notification to Maine, a total of 244,296 people were notified of this payment card breach.