Colonoscopy Prep Retail Website Breach Festered for YearsPersonal Data of 244,000 in Flux After Malware Probe of Gastroenterologist Vendor
As if colonoscopies weren't invasive enough, nearly a quarter-million patients who underwent an intestinal probe since 2019 now must grapple with a data breach tied to a hacking incident at a third-party vendor to gastroenterologists.
Kansas-based Captify Health is notifying approximately 244,300 patients that their payment card and other personal information may have been compromised in a data security incident that started as far as back as 2019 involving its colonoscopy prep kit online retail business.
A company breach notification filed with Maine's attorney general says the Captify Health online retail service Your Patient Advisor suffered a "malicious code" incident that persisted for more than three years, from May 26, 2019, to April 20, 2022.
The company says it received notice in March 2021 of fraudulent use of consumer credit cards related to its payment card environment. An investigation into the matter concluded Oct. 12, 2022, with a determination that a breach did occur.
Captify Health did not immediately respond to Information Security Media Group's request for additional details.
Affected information includes full name, address, payment card number, expiration date and payment card security code, the company says.
The incident throws up a number of red flags, some experts say.
"It is an unambiguous requirement of the payment card industry data security standard - PCI-DSS - that the CVV number, or security code, must never be stored - and it appears as though it was," says Michael Hamilton, founder and CISO of security firm Critical Insight.
If that is the case, Your Patient Advisor potentially faces a variety of federal government and state regulatory issues, as well as possible class action litigation, says Hamilton.
At least one law firm - Markovits, Stock & DeMarco LLC - is already investigating a potential class action lawsuit.
Captify Health, which on its website says it serves 27 states nationwide, 500 physicians and 7 million patients, appears to be covered by HIPAA regulations for business associates of medical practices.
Under HIPAA, breaches affecting 500 or more individuals must be reported to the Department of Health and Human Services Office for Civil Rights within 60 days of discovery. As of Monday, no breaches involving Captify Health appeared to be posted on the HHS OCR HIPAA Breach Reporting Tool website.
The stretched out time frame of the malware incident - including the apparent 19-month-long investigation and potential lag in notifying individuals of a breach - is concerning for a variety of reasons, says Tom Walsh, CEO of privacy and security consultancy tw-Security.
"Doing a thorough investigation after a breach occurs takes time; however, in this case, it seems to have taken an unusually longer amount of time to report," he says.
"The potential dangers are identity theft, which can lead to the hacker or bad actor that obtained the breached data attempting some type of financial fraud - unauthorized purchased," Walsh says.
The main risks for Your Patient Advisor as an entity, aside from reputational damage, is that "they have left themselves open to a greater fine and/or legal action due to the long time frame," says Tom Cope, CISO of data loss prevention vendor Next DLP.
"PCI DSS fines are issued per month, so the entity could be looking at a 21-month back issue of fines," he says.
Flushing Out Bad Security Practices
Your Patient Advisor by Captify Health says it has taken a number of steps to augment data security. One is implementing additional security measures to secure its online ordering platform to reduce the risk of a similar incident occurring in the future.
"Your Patient Advisor has taken steps to ensure its platform is safe and secure for all purchase," the report says.
Entities also need to be diligent upfront to prevent breaches involving online retail and similar websites, Walsh says.
"At a minimum, any web-facing, consumer/patient access is a prime target for hackers. That is why a thorough risk analysis helps determine the greatest areas of exposure and where remediation efforts are needed most."