Travel services company SkyMed International Inc. agreed to design, implement and maintain an information security plan that, among other things, at least includes encryption of sensitive data, annual employee training and access controls that require authentication, according to a final settlement the company met with the Federal Trade Commission.
The company “failed to employ reasonable measures to secure the personal information it collected from people who had signed up for its travel emergency membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records,” the FTC alleged, according to a press release Friday. “The unsecured database contained members’ personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers.”
The FTC complaint describes a series of misrepresentations SkyMed made to consumers before and after a security researcher alerted the company to a cloud database of sensitive information, including health data, that anyone could easily access, alter, download or delete. It also said the company was unaware of the database.
“Before respondent received the security researcher’s notification, respondent had no idea that the publicly accessible cloud database even existed, let alone that it contained consumers’ personal information stored in plain text,” the complaint reads.
SkyMed, which requires members to share health information such as medical conditions, prescriptions and recent hospitalizations, marketed itself as secure. The FTC noted its display of a logo connoting compliance with the Health Insurance Portability and Accountability Act—which spells out reasonable information security practices—on every page of its website.
“Respondent signaled to consumers that a government agency or other third party had reviewed respondent’s information practices and determined that they met HIPAA’s requirements,” the complaint reads. “In reality, no government agency or other third party had reviewed respondent’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.”
The company admitted it shouldn’t have displayed the seal, and removed it in April 2019 after the security researcher’s outreach, according to the complaint.
The FTC said SkyMed also deceived its customers after it learned of the exposed database.
The security researcher had sent the company screenshots showing that personal information was exposed in plain text, and notified the company that the fields included the sensitive health information they had collected.
But in a May 2019 notice informing its current and former customers of the security incident, SkyMed emphasized in bold, that “there was no medical or payment-related information visible and no indication that the information has been misused.”
“Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system,” the notice read. “At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers.”
Under the settlement, SkyMed must now resend notices to consumers disclosing the extent of the breach. It must also have a third party conduct biennial assessments of its new comprehensive information security program and refrain from misrepresenting its security practices or endorsements in the future.
Now that the consent order is final, the FTC notes each instance of its violation may result in a civil penalty of up to $43,280.