FTC Settles 2019 Consumer Data Breach Case with SkyMed
The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.
SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.
The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.
It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”
The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.
The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.
“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.
The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.
The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”
The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.
Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.
SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.
Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information. Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.