It feels like it’s been a while since we’ve seen an FTC data security case (well, apart from Zoom’s issues). Today, FTC issued a press release about a settlement stemming from SkyMed International’s misconfigured elastic search instance that exposed more than 130,000 people’s information. The exposed data were discovered by Jeremiah Fowler and reported in May, 2019. Misconfigured databases or backups are a dime a dozen these days. What I especially like about FTC’s action in this case is that they went after SkyMed for their misleading notification to consumers, as explained in their press release:
A Nevada-based company that provides travel emergency services must put in place a comprehensive information security program as part of a settlement with the Federal Trade Commission over allegations the company failed to take reasonable steps to secure sensitive consumer information such as health records.
In a complaint against SkyMed International, Inc., the FTC alleged that the company failed to take reasonable measures to secure the personal information it collected from people who had signed up for its emergency travel membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records. The unsecured database, exposed by a security researcher, could be located and accessed by anyone on the Internet and contained personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers, according to the complaint. The FTC also alleged that SkyMed failed to assess risks to such data by performing penetration testing and other measures, and failed to monitor its network for unauthorized access.
“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “The security of personal health information is a key priority for the FTC, and we will take action against companies that fail to implement robust data protection programs.”
After being informed of the unsecured data, SkyMed notified current and former plan holders that it had investigated the breach and found “there was no medical or payment-related information visible and no indication that the information has been misused.” The FTC alleged, however, that SkyMed failed to examine the actual information stored on the database, identify affected consumers, and investigate whether any other unauthorized users had accessed the database. Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database.
The FTC also alleged that SkyMed deceived consumers by displaying for nearly five years a “HIPAA Compliance” seal on every page of its website, which gave the impression that its privacy policies had been reviewed and met the security and privacy requirements of the Health Information Portability and Accountability Act (HIPAA). In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.
Under the proposed settlement, SkyMed is prohibited from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program. The company also will be required to send a notice to affected consumers detailing the data that was exposed by the data breach.
As part of the mandated information security program, the company must identify and document potential internal and external risks and design, implement, and maintain safeguards to protect personal information it collects from those risks. In addition, SkyMed must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of SkyMed’s information security program, identify any gaps or weaknesses, and monitor efforts to address these problems. The settlement also requires a senior SkyMed executive to certify annually that the company is complying with the requirements of the settlement.
The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company.
The FTC will publish a description of the consent agreement package in the Federal Register. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.
The Federal Trade Commission works to promote competition and to protect and educate consumers. You can learn more about consumer topics and report scams, fraud, and bad business practices online at ReportFraud.ftc.gov. Like the FTC on Facebook(link is external), follow us on Twitter(link is external), get consumer alerts, read our blogs, and subscribe to press releases for the latest FTC news and resources.