SkyMed Comes to Settlement Agreement with FTC for 2019 Consumer Data Breach

SkyMed has com to a settlement agreement with the Federal Trade Commission (FTC) in the aftermath an audit of its information security practices in relation to a 2019 data breach that exposed consumers’ personal private data.

The Nevada-based emergency services provider was made aware by security expert Jeremiah Fowler in 2019 that it had an improperly configured Elasticsearch database that was leaking patient private data. The absence of protection meant the records of 136,995 patients could be accessed via the internet without the requirement for any authentication. The database could be accessed using any Internet browser and personal information in the database could be taken, edited, or even erased.

The database included information such as patient names, addresses, email addresses, dates of birth, membership details, and health information, according to Fowler. Fowler also discovered artifacts linked to ransomware in the database. When alerted in relation to the exposed database, SkyMed began an investigation but found nothing to suggest any information in the database had been improperly used.

It the official breach notification submitted, SkyMed said: “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC looked into the breach and carried out an audit to determine whether there had been a breach of the FTC Act. The FTC found a number of security and breach response failures. The FTC alleged SkyMed had not reviewed whether the database had been accessed by unauthorized individuals during the time security measures were not in place, and that the company failed to properly review the database to determine what information it included. SkyMed was therefore not able to ascertain whether any health information had potentially been impacted. When SkyMed discovered that the database had been exposed, the company deleted the database to stop any unauthorized access. SkyMed also failed to identify the individuals impacted by the breach.

The FTC said all pages on the SkyMed website displayed a “HIPAA Compliance” seal, which suggested that SkyMed’s privacy and security policies were in compliance with the standards legally required by the Health Insurance Portability and Accountability Act, yet the company had not completed a third-party audit of its information security practices and no government body had reviewed the HIPAA compliance claims. The FTC claimed SkyMed had deceived customers for more than five years by having the HIPAA Compliance seal on its company website.

Andrew Smith, director of the FTC Bureau of Consumer Protection. said: “People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure”.  The firm’s security practices did not meet the required standards and those expected by its clients.

The FTC stated “reasonable measures” to safeguard the personal information of individuals who signed up for its emergency services had not been put in place. SkyMed had not used any data loss prevention tools, there was an absence of access controls, and a failure to implement authentication for its databases. When a security breach occurred and a database containing personal information was breached, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security expert.

The FTC said that the nature of the information exposed “has caused or is likely to cause substantial injury to customers. [SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC claimed SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also ruled to have completed unfair information security practices.

As per the terms of the settlement agreed, SkyMed is forbidden from misrepresenting its data security practices, data breach response, and how the company safeguards the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting group.

SkyMed must provide breach notifications to all impacted consumers and provide information about any information that has possibly been exposed. An information security program must be configured, which must be coordinated by a designated, qualified member of staff. The program must include a group-wide risk assessment to identify potential internal and external risks, and security measures must be put in place to ensure those risks are mitigated and personal information is secured.

A record of database access must be established and monitored, and data encryption must be implemented for sensitive data such as financial account data, passport numbers, and health information.  Access controls are necessary for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also necessary to certify annually that it is in compliance with the requirements listed in the FTC settlement.

Author: Maria Perez