FTC Finalizes SkyMed Data Leak SettlementFirm Must Implement Security Improvements Following Exposure of Records
A finalized Federal Trade Commission settlement issued Friday specifies security improvements that SkyMed, a company that provides medical emergency travel services, must implement following the leak of 130,000 membership records.
Under the final settlement, SkyMed must send a notice to affected consumers describing the information exposed in the data leak and implement a comprehensive information security program. The firm must obtain biennial assessments of this program by a third party. And qualified staff members must evaluate the program annually and fix any deficiencies found.
"The settlement also prohibits SkyMed from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program," the FTC notes.
The settlement, however, includes no financial penalty.
The FTC’s complaint against SkyMed says that in March 2019, a security researcher, using a publicly available search engine, discovered that an unsecured cloud database maintained by SkyMed was accessible via the internet.
The database contained approximately 130,000 membership records with consumers’ personal information stored in plain text. Exposed data included names, dates of birth, gender, home addresses, email addresses, phone numbers, membership information and account numbers and health information, such as prescription lists.
The FTC also alleged SkyMed deceived consumers by displaying for nearly five years a “HIPAA Compliance” seal on every page of its website, giving the impression that its privacy policies had been reviewed and met HIPAA security and privacy requirements, which was not the case.