FTC Approves Settlement with Travel Company that Exposed Database of Customers’ Information

Lightspring/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

The agency ordered SkyMed International to shore up its information security practices. 

Travel services company SkyMed International Inc. agreed to design, implement and maintain an information security plan that, among other things, at least includes encryption of sensitive data, annual employee training and access controls that require authentication, according to a final settlement the company met with the Federal Trade Commission.

The company “failed to employ reasonable measures to secure the personal information it collected from people who had signed up for its travel emergency membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records,” the FTC alleged, according to a press release Friday. “The unsecured database contained members’ personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers.”

The FTC complaint describes a series of misrepresentations SkyMed made to consumers before and after a security researcher alerted the company to a cloud database of sensitive information, including health data, that anyone could easily access, alter, download or delete. It also said the company was unaware of the database.

“Before respondent received the security researcher’s notification, respondent had no idea that the publicly accessible cloud database even existed, let alone that it contained consumers’ personal information stored in plain text,” the complaint reads.

SkyMed, which requires members to share health information such as medical conditions, prescriptions and recent hospitalizations, marketed itself as secure. The FTC noted its display of a logo connoting compliance with the Health Insurance Portability and Accountability Act—which spells out reasonable information security practices—on every page of its website.  

“Respondent signaled to consumers that a government agency or other third party had reviewed respondent’s information practices and determined that they met HIPAA’s requirements,” the complaint reads. “In reality, no government agency or other third party had reviewed respondent’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.” 

The company admitted it shouldn’t have displayed the seal, and removed it in April 2019 after the security researcher’s outreach, according to the complaint.

The FTC said SkyMed also deceived its customers after it learned of the exposed database. 

The security researcher had sent the company screenshots showing that personal information was exposed in plain text, and notified the company that the fields included the sensitive health information they had collected.

But in a May 2019 notice informing its current and former customers of the security incident, SkyMed emphasized in bold, that “there was no medical or payment-related information visible and no indication that the information has been misused.”

“Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system,” the notice read. “At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers.”

Under the settlement, SkyMed must now resend notices to consumers disclosing the extent of the breach. It must also have a third party conduct biennial assessments of its new comprehensive information security program and refrain from misrepresenting its security practices or endorsements in the future.  

Now that the consent order is final, the FTC notes each instance of its violation may result in a civil penalty of up to $43,280.  

NEXT STORY: The Hack Roundup: USDA Denies Data Breach at Payroll Facility 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.