To meet the needs of consumers who are injured or face a medical emergency while traveling, Scottsdale-based SkyMed International sells air evacuation plans and other services. The FTC’s action against SkyMed also involves consumer injury, but not of the fractured-femur-in-France variety. According to the FTC, SkyMed put consumers’ sensitive information at risk of compromise by failing to employ a robust data security program. SkyMed’s shortcomings came to a head when it left a database of 130,000 membership records – including sensitive health information – unsecured in the cloud. That’s just one alleged law violation addressed in the proposed settlement with SkyMed.
In addition to home addresses, passport numbers, dates of birth, and emergency contacts, SkyMed requires that applicants provide detailed health information – for example, medical conditions, prescribed medications, and recent hospitalizations. In March 2019, a security researcher using a regular search engine found an unsecured cloud database maintained by SkyMed that stored consumer information in plain text. Soon after that, the researcher contacted SkyMed with screenshots that showed people’s names, dates of birth, home addresses, account numbers, and health data – including prescriptions and hospitalizations – readily available to read, download, or alter. Although SkyMed deleted the database, the information had been publicly accessible for more than five months without SkyMed even knowing it existed.
How did SkyMed respond? The company contacted current and former members about the incident, but according to the complaint, SkyMed made misleading statements about the scope of its investigation and the nature of the consumer information it put at risk. The company claimed:
Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.
That’s what SkyMed said, but the complaint alleges that SkyMed didn’t have a reasonable basis for making the soothing statement that “There was no medical or payment-related information visible and no indication that the information has been misused.” Why not? Because according to the FTC, the company’s “investigation” didn’t involve much more than confirming the database was publicly accessible and then deleting it. At no point did SkyMed examine the information in the database, identify the consumers placed at risk, or look for evidence of unauthorized access.
Given the company’s practices, it was ironic – and the FTC alleges deceptive – that every page of SkyMed’s website included a seal that said “HIPAA compliance” illustrated with a medical caduceus, suggesting that a governmental entity or other third party had endorsed SkyMed’s practices.
The complaint alleges that SkyMed failed to employ reasonable measures to protect consumers’ personal information, an unfair practice under the FTC Act. Among other things, the complaint cites that SkyMed:
- failed to develop, implement, or maintain written information security standards and policies;
- failed to provide adequate security training for employees or contractors;
- stored personal information in plain text, without reasonable access controls or authentication protections;
- failed to assess risks to personal information on its network and databases – for example, by conducting periodic risk assessments or vulnerability and penetration testing;
- failed to have a procedure for inventorying and deleting consumers’ personal information when it was no longer needed; and
- failed to use tools to monitor for unauthorized attempts to move consumers’ personal information off the company’s network.
Count II of the complaint alleges that when SkyMed contacted consumers, the company violated the FTC Act by making statements about the results of its “investigation” without having the facts to back up what it said. In addition, the FTC challenges SkyMed’s use of that “HIPAA Compliance” seal. According to the complaint, the company falsely represented expressly or by implication that a government agency or third party had reviewed SkyMed’s information practices and determined they met HIPAA’s requirements.
The proposed settlement prohibits misrepresentations about how SkyMed secures consumer information, how it responds to data breaches, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program. SkyMed also must contact affected consumers by email – this time with the straight story about the data exposed by the breach. In addition, the order requires that SkyMed implement a data security program subject to third-party assessments every other year and that a senior manager certify annually that the company is in compliance with the order. In the future, SkyMed must contact the FTC if it’s required to notify a federal, state, or local government that personal information has been breached or if a consumer’s individually identifiable health information has been accessed, acquired, or publicly exposed without authorization. Once the proposed order appears in the Federal Register, the FTC will accept public comments for 30 days.
Here are some tips to take from the case.
Exercise particular caution with consumers’ health information. Don’t collect consumers’ health data without a legitimate business justification. But if you must maintain it, know what you have, know where you keep it, use reasonable measures to protect it, and securely dispose of it once that need is over. Also, the specifics of a complaint address the circumstances of just that case, but they can offer helpful insights in evaluating where you might want to reconsider your own procedures.
Falsely assuaging customer concerns post-breach can cause them to go from mad to worse. When notifying consumers about a data breach, candor counts. Accurately explain the circumstances and the consequences for consumers.
Sealed with amiss? Consumers usually aren’t in a position to evaluate a company’s information practices, which is why advertisers often display privacy- or security-related seals or certifications on their websites. Those aren’t just illustrations or buzzwords. They’re objective claims you need to substantiate. Furthermore, the Department of Health and Human Services – the government agency responsible for HIPAA enforcement – doesn’t certify companies or products as “HIPAA compliant.” Nor does it endorse or otherwise acknowledge private organizations’ purported certifications. The onus is on advertisers to ensure they’re not using imagery or text that falsely suggests government or third-party approval.