Governance & Risk Management , IT Risk Management , Privacy
After Data Leak, FTC Orders Firm to Fix SecurityProposed Settlement Spells Out Action Items for Medical Emergency Travel Services Firm
Following its exposure of personal information on 130,000 individuals in an unsecured cloud database, SkyMed International, a company that provides medical emergency travel services, must revamp its security practices, according to a proposed Federal Trade Commission settlement.
The FTC says Scottsdale, Arizona-based SkyMed failed to take “reasonable measures” to secure the personal information it collected from those who signed up for its emergency travel membership plan.
The FTC alleged in its complaint against SkyMed that the company deceived consumers by displaying for nearly five years a “HIPAA Compliance” seal on every page of its website, giving the impression that its privacy policies had been reviewed and met HIPAA security and privacy requirements. “In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA,” the FTC says.
LabMD Case Impact?
The proposed settlement with SkyMed “is consistent with other FTC actions where the agency has alleged that companies have advertised their endorsement by organizations where there has been no such endorsement,” says former FTC attorney Julie O'Neill, a partner at law firm Morrison & Foerster, who was not involved in the SkyMed case.
The enforcement action against SkyMed also reflects the FTC’s move, since the decision by the U.S. Court of Appeals for the 11th Circuit in the FTC’s dispute with now-defunct cancer testing laboratory LabMD, “to impose more precise and detailed data security obligations in consent orders – rather than imposing a general requirement that the company subject to the order implement ‘reasonable' security measures,” she notes.
That U.S. Court of Appeals in 2018 vacated an FTC enforcement action against LabMD in a data security dispute dating back to 2013.
In that ruling, the appeals court, among other things, noted that the FTC consent order against LabMD mandated “a complete overhaul of LabMD's data security program" and said "precious little about how this is to be accomplished.”
The FTC’s complaint against SkyMed says that, in March 2019, a security researcher, using a publicly available search engine, discovered an unsecured cloud database maintained by SkyMed was accessible via the internet.
The database contained approximately 130,000 membership records with consumers’ personal information stored in plain text. Exposed data included names, dates of birth, gender, home addresses, email addresses, phone numbers, membership information and account numbers, and health information, such as prescription lists.
On March 27, 2019, the security researcher notified SkyMed about the exposed database, the FTC says. The security researcher also informed SkyMed that anyone could easily alter, download or even delete the personal information contained in the database.
In response to the notification, SkyMed deleted the database, including the records it contained, according to the FTC.
SkyMed “failed to detect this unsecured and publicly accessible cloud database for more than five months,” the FTC says. “In fact, before [SkyMed] received the security researcher’s notification, [the company] had no idea that the publicly accessible cloud database even existed, let alone that it contained consumers’ personal information stored in plain text.”
Breach Notification Questioned
The FTC notes that, on May 2, 2019, SkyMed notified current and former membership plan holders of the security incident.
SkyMed said in its notification, according to the FTC: “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”
The FTC says that, contrary to SkyMed’s notification to consumers, the company’s investigation did not determine whether health information was stored on the cloud database. SkyMed “deleted the database without ever verifying the types of personal information stored,” the FTC says.
SkyMed’s “failure to use data loss prevention tools and lack of access controls and authentication protections for its networks … has caused or is likely to cause substantial injury to consumers,” the FTC alleges. “In particular, health information is valuable on the open market, and wrongdoers frequently seek to purchase consumers’ health information on the dark web.”
SkyMed “could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures,” the FTC states.
The FTC’s complaint against SkyMed alleged unfair and/or deceptive acts or practices under Section 5 of the FTC Act. That includes two counts of deception – including SkyMed’s alleged claims about HIPAA compliance and its misrepresentation about its security incident response, plus “unfair information security practices.”
Under the proposed settlement’s consent order, SkyMed must implement a comprehensive information security program that calls for several steps, including:
- Identifying and documenting potential internal and external risks;
- Designing, implementing and maintaining safeguards to protect personal information it collects from those risks;
- Obtaining biennial assessments of its information security program by a third party to examine the effectiveness of SkyMed’s information security program, identify any gaps or weaknesses and monitor efforts to address these problems.
The consent order also prohibits SkyMed from making misrepresentations including about how the company protects the privacy, security, availability, confidentiality or integrity of any personal information, as well as its participation “in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.”
SkyMed did not immediately respond to an Information Security Media Group request for comment.
Other Potential Violations?
Regulatory attorney Paul Hales of the law firm Hales Law Group, who is not involved in the SkyMed case, calls the company’s use of a HIPAA compliance seal on its website “a stupid marketing mistake.”
”Moreover, SkyMed may not even be subject to compliance with the HIPAA rules as a business associate,” he notes. “It would only be a business associate if, for example, it contracted with a covered entity like a health plan or another business associate like a third-party health plan administrator to provide services involving the disclosure of protected health information regulated by HIPAA."
The SkyMed data security incident also is likely a violation of state data breach and privacy protection laws, Hales says. “It may even be subject to the extra-territorial scope of the European General Data Protection Regulation.”
The FTC enforcement action against SkyMed is significant, Hales says, “because it spotlights a shocking case of careless security protections for consumers’ personal information that would have gone unnoticed by regulators but for its discovery by a security researcher.”
O’Neill expects that, in future cases, the FTC may seek to hold companies’ leadership and other key individuals responsible for alleged violations.
“The two current Democratic commissioners … have expressed interest in individual liability as a remedy in privacy and data security enforcement actions,” she notes.