FTC Reaches Settlement with SkyMed for 2019 Consumer Data, PHI Breach

December 17, 2020 - The FTC reached a settlement with SkyMed that requires the Nevada-based provider of emergency services to implement a comprehensive information security program, which will resolve allegations stemming from a breach of consumer data, including protected health information in 2019.

The agency alleged the company failed to take reasonable steps to secure sensitive consumer data, like health records, which directly resulted in the exposure of 130,000 membership records.

In 2019, security researcher Jeremiah Fowler discovered a misconfigured Elasticsearch database belonging to SkyMed, which was left unsecured online and thus leaking a trove of sensitive data containing 136,995 records stored in plaintext.

The database was set to “open” and publicly visible in any internet browser, enabling anyone who discovered it to edit, download, or even delete the related data without the need for administrative credentials.

Fowler determined the database contained a file of each SkyMed member, which included their names, dates of birth, contact information, email addresses, membership account numbers, and information on their medical conditions. Evidence of ransomware was also found in the database, spotlighting further security risks.

READ MORE: FTC Seeks Comment on Breach Notification Rule for Health Data

According to the FTC complaint, after SkyMed was informed of the data exposure, the company launched an investigation that found “no medical or payment-related information visible and no indication that the information has been misused.” 

However, the FTC alleged SkyMed did not examine the actual information stored on the impacted database, nor did the company identify any of the affected consumers. FTC also claimed SkyMed did not investigate whether the database had been accessed by any unauthorized users.

“Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database,” FTC officials said in the release.

In response, FTC launched an audit into the incident believing that SkyMed violated provisions of the FTC Act.

The investigation also sought to determine claims that SkyMed deceived consumers by displaying a “HIPAA Compliance” seal on every page of its website, “which gave the impression that its privacy policies had been reviewed and met the security and privacy requirements of HIPAA.”

READ MORE: Zoom Reaches Settlement with FTC Over Misleading Security Practices

Despite those assertions, the FTC explained that no government agency or other third-party reviewer had verified those claims or SkyMed’s information practices for HIPAA compliance.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection, said in a statement.

“The security of personal health information is a key priority for the FTC, and we will take action against companies that fail to implement robust data protection programs,” he added.

Under the settlement, SkyMed is banned from misrepresenting its data security practices, its data breach circumstances and response, and endorsements by or participation in any government-sponsored privacy and security program.

SkyMed is also required to send a breach notification to any impacted consumers, including details of any information exposed during the security incident. A qualified employee must also be designated to coordinate the efforts around the information security program.

The FTC-mandated information security program must include a risk assessment that will identify and document any potential internal and external risks, as well as the development, implementation, and maintenance of safeguards that will protect any personal information collected from any of the identified risks.

The assessments must be performed biennially by a third-party vendor. The FTC has the authority to approve and to examine the effectiveness of the security program to identify any gaps or weaknesses and monitor SkyMed’s efforts to address any identified issues.

The security policies must also contain technical measures for logging and monitoring access to databases that contain personally identifiable information, as well as encryption, at a minimum, for all passport numbers, financial account information, and any health information in SkyMed’s control.

SkyMed will also need to implement access controls for all data repositories containing personal data, including the restriction of inbound connections to approved IP addresses, requiring access authentication, and limiting employee access to what’s needed to perform their job functions.

Lastly, a SkyMed executive is required to annually certify that the company is in compliance with the requirements laid out by the FTC in the settlement.

Over the last few years, both Congress and the FTC have expressed the desire to expand the agency’s authority to enforce data privacy and security violations, as the Department of Health and Human Services is somewhat limited in its authority, particularly if a company is not considered a covered entity or business associate under the regulation.

Several bills proposed in 2019 sought to establish the FTC as an authority on certain privacy matters where HIPAA does not apply. However, the legislation has not yet gained traction.

For now, the FTC has sought to modify its own breach notification rule that would require vendors not covered by HIPAA to report data breaches to the agency within 60 days.