The Federal Trade Commission (FTC) has announced the settlement with SkyMed International has been finalized and resolves allegations that the Nevada-based travel and emergency services provider failed to implement reasonable safeguards to protect sensitive consumer information.
SkyMed stored customer information in the cloud but failed to secure a database containing the sensitive information of 130,000 individuals who had signed up for its travel insurance plan. The unsecured database was discovered by a security researcher in 2019 who was able to access the database without having to provide a username or password.
The database, which could be accessed by anyone over the Internet, contained the personal information of its members stored in plain text, including names, addresses, dates of birth, membership account numbers, and health information.
In a complaint against Skymed, the FTC alleged Skymed had neglected to implement reasonable safeguards to protect sensitive consumer data, failed to assess risks to sensitive data by performing penetration tests and other measures, and was not monitoring its network for unauthorized access.
Skymed notified current and former plan holders that it had investigated the breach and determined that medical and payment information had not been compromised and no evidence was found to indicate any misuse of the data; however, the FTC alleged SkyMed had not examined the information in the database, did not identify affected individuals, did not investigate whether the database had been accessed by unauthorized individuals, and simply deleted the database after confirming it had been exposed online.
The FTC also alleged SkyMed had deceived customers by including a HIPAA Compliance seal on each page of its website which suggested the company was fully compliant with the standards of the Health Insurance Portability and Accountability Act, which was not the case. Simply saying you are HIPAA compliant when a risk analysis has not been conducted and compliance has not been confirmed is lying to customers and misrepresenting privacy and security measures.
The settlement requires SkyMed to provide notice to all affected customers and provide them with details of the breach, must implement a comprehensive information security program, and undergo biannual security assessments by a third party. SkyMed is also prohibited from misrepresenting how the company secures personal data, whether the company has been endorsed by or participates in a government-sponsored privacy or security program, and the circumstances and response to a data breach.