- Uber is being hit with additional federal penalties for “misconduct” in not reporting a major 2016 data breach at a time when it is launching its Uber Health service, which the ride-sharing company pledges will be HIPAA compliant.
The Federal Trade Commission (FTC) announced April 12 that Uber had agreed to expand a proposed settlement it reached last year over charges that it deceived consumers about its privacy and data security practices.
The FTC said it was expanding the settlement scope because it learned after the initial settlement that Uber had not disclosed a significant data breach that occurred in 2016 while the agency was investigating the company about the consumer deception charges.
In the revised settlement, the FTC increased the data security requirements for Uber, including possible civil penalties if the company fails to notify the agency of future data breaches.
The revised settlement also included requirements for Uber to submit to the FTC all reports from the required third-party audits of Uber’s privacy program rather than only the initial report. Uber also must retain bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the commission that it suffered another data breach in 2016 while the commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
Uber learned in November 2016 that hackers had accessed consumer data the company stored on its third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website, according to the FTC. The hackers used the access key to download from Uber’s cloud storage unencrypted files that contained more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of Uber drivers and riders in the United States, the agency related.
The revised FTC complaint noted that Uber paid the hackers $100,000 through its third-party bug bounty program and failed to disclose the breach to consumers or the agency until November 2017.
In announcing the original settlement with Uber in August 2017, the FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on servers of a third-party cloud provider.
Such alleged data security misconduct on Uber’s part comes at a time when it is launching its health services unit. Last month, Uber announced that it is partnering with healthcare organizations to provide transportation for patients, caregivers, and staff.
In the announcement, Uber stressed that it has developed, implemented, and customized privacy and security safeguards to ensure that the service meets HIPAA requirements. Uber worked with Clearwater Compliance, a HIPAA compliance company, to conduct risk and compliance assessments. As a result, Uber signed business associate agreements, which require Uber to protect healthcare data.
In an interview with HealthITSecurity.com, Clearwater Compliance CEO Bob Chaput stressed that Uber Health has implemented a multi-step program to ensure HIPAA compliance and cyber risk management. The first step is setting up a governance and risk management plan. The next step is putting in place policies and procedures to address the HIPAA privacy, security, and notification rules, and training employees on those policies and procedures.
Chaput said that Uber met with representatives of the Office for Civil Rights to check on HIPAA compliance before it launched Uber Health. He stressed that the platform and process that Uber Health has set up to ensure HIPAA compliance will be seen as a best practice in the healthcare industry.
Still, healthcare partners of Uber Health might be concerned about the FTC’s allegations that the parent company deceived consumers about its privacy and data security practices and failed to disclose a major data breach at a time when it was under federal investigation.