Governance & Risk Management , Incident & Breach Response , Privacy

FTC Finalizes SkyMed Data Leak Settlement

Firm Must Implement Security Improvements Following Exposure of Records
FTC Finalizes SkyMed Data Leak Settlement

A finalized Federal Trade Commission settlement issued Friday specifies security improvements that SkyMed, a company that provides medical emergency travel services, must implement following the leak of 130,000 membership records.

See Also: The Guide to Just-In-Time Privileged Access Management

Under the final settlement, SkyMed must send a notice to affected consumers describing the information exposed in the data leak and implement a comprehensive information security program. The firm must obtain biennial assessments of this program by a third party. And qualified staff members must evaluate the program annually and fix any deficiencies found.

"The settlement also prohibits SkyMed from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program," the FTC notes.

The settlement, however, includes no financial penalty.

2019 Incident

The FTC’s complaint against SkyMed says that in March 2019, a security researcher, using a publicly available search engine, discovered that an unsecured cloud database maintained by SkyMed was accessible via the internet.

The database contained approximately 130,000 membership records with consumers’ personal information stored in plain text. Exposed data included names, dates of birth, gender, home addresses, email addresses, phone numbers, membership information and account numbers and health information, such as prescription lists.

The FTC also alleged SkyMed deceived consumers by displaying for nearly five years a “HIPAA Compliance” seal on every page of its website, giving the impression that its privacy policies had been reviewed and met HIPAA security and privacy requirements, which was not the case.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.