FTC Reaches an Agreement with SkyMed to Settle a 2019 Consumer Data Breach Case

SkyMed, an emergency services provider in Nevada, has agreed to a settlement with the Federal Trade Commission (FTC) after the audit of its information security strategies, which was prompted by a 2019 data breach that compromised the personal data of consumers.

Security researcher Jeremiah Fowler informed SkyMed in 2019 that a misconfiguration of the Elasticsearch database resulted in the leaking of patient information. The data of 136,995 patients was accessible online without needing any authentication. The database can be viewed by using any web browser. The personal data in the database can be downloaded, modified, or deleted.

The information contained in the database included patient names, email addresses, addresses, birth dates, membership account numbers, and health data. Fowler likewise found artifacts associated with ransomware in the database. Upon notification, SkyMed started an investigation yet did not find any evidence that suggests the misuse of any content in the database.

According to SkyMed’s breach notification, some old information might have been exposed briefly when data was transferred from the old system to the new one. The compromised information is no longer accessible and only included names, physical and email addresses, telephone numbers, and membership ID numbers. No healthcare data or payment data was accessible and there’s no evidence that data was misused.

The FTC looked into the incident and did an audit to find out if the FTC Act was breached. The FTC determined several failures in security and breach responses. The FTC claimed SkyMed did not investigate if the unauthorized persons accessed the database when security was down, and that the provider didn’t sufficiently examine the database to know what data it stored. SkyMed consequently failed to ascertain if any health data was potentially exposed. When SkyMed verified the exposure of the database, the company removed the database to avert any unauthorized access. SkyMed additionally was unable to determine the people impacted by the breach.

The FTC stated that SkyMed’s website showed a “HIPAA Compliance” seal, giving the notion that the provider’s privacy and security policies were HIPAA compliant. However, SkyMed hadn’t been through a third-party review of its information security procedures and no government organization had evaluated its HIPAA compliance statements. As per the FTC, SkyMed had fooled customers for over 5 years by showing the HIPAA Compliance seal to its clients.

The FTC explained that SkyMed had no “reasonable measures” in place for securing the personal data of people who registered for its emergency services. SkyMed had no data loss prevention solutions, lack access controls, and failed to employ authentication for its systems. When SkyMed encountered a security breach, it failed to identify the compromised database containing personal data for 5 months until a security researcher found it.

The type of data exposed could likely bring about considerable damage to customers. SkyMed could have avoided or mitigated these data security issues if it had employed promptly available, and fairly low-cost, procedures.

The FTC alleged SkyMed had violated Section 5 of the FTC Act by engaging in unfair and/or misleading acts or procedures, which resulted in two counts of deception, one for the HIPAA compliance and another for its breach response. SkyMed additionally engaged in unfair information security practices.

Concerning the settlement, SkyMed is forbidden from misrepresenting its information security policies, data breach response, and the way the company safeguards the security, privacy, integrity, and confidentiality of the personal data, and involvement in any privacy or security plan sponsored by the federal government or any third party, which include self-regulatory or standard establishing company.

SkyMed needs to notify all affected consumers and give details regarding any information that was possibly exposed. A data security program needs to be implemented and managed by selected, competent staff. The program should consist of a company-wide risk assessment to pinpoint possible internal and external hazards, and safeguards ought to be integrated to make sure to mitigate risks and protect personal information.

There must be records of the database that can be accessed for monitoring. Data encryption should be enforced for sensitive information like financial account information, passport numbers, and medical data. All databases that contain personal data are necessary for monitoring and there must be restrictions to control access to sensitive information. SkyMed is additionally necessary to approve yearly compliance with the FTC settlement.