Nevada company settles with FTC over unsecured data complaint

Federal regulators have signed off on a settlement agreement with a Nevada-based company that left its database full of clients’ health and personal information unsecured online.

The Federal Trade Commission – which enforces federal consumer protection and online privacy laws – alleged in a complaint that SkyMed International Inc. “engaged in a number of practices that failed to provide reasonable security for the personal information it collected, including sensitive health information.”

SkyMed – a Nevada-based corporation with its principal office in Arizona – offers emergency travel membership plans. The company provides medical evacuation services for members who sustain serious illness or injuries during travel, and offers hospital-to-hospital air transportation and medical escort flights.

In December, the company settled with the FTC, which required approval from the commissioners.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the agency’s Bureau of Consumer Protection, said at the time. “People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure.”

A representative for SkyMed did not immediately respond to a request for comment Friday.

Company had ‘no idea’ client database was publicly available

The FTC’s complaint said that a security researcher in March 2019 discovered SkyMed’s unsecured and publicly available database of the company’s 130,000 clients’ data, including names, dates of birth, home addresses and health information.

Regulators found that if it weren’t for the researcher’s notification, SkyMed “had no idea that the publicly accessible cloud database even existed, let alone that it contained consumers’ personal information stored in plain text.”

SkyMed also admitted to the FTC that its placement of a “(Health Insurance Portability and Accountability Act) Seal” on every page of its website “should not have been on the website.” The complaint alleged that SkyMed made “false or misleading” claims to its clients that it made an investigation, when in reality, the company just deleted the database once it was informed by the researcher’s notification.

Settlement

While SkyMed neither admits nor denies any of the allegations in the FTC’s complaint, it did agree to settle with the regulator in December. As part of the agreement to resolve the complaint, SkyMed agreed to send a notice to affected consumers detailing the data that was exposed by the data breach.

The company is also prohibited from misrepresenting how it secures personal data as well as the circumstances and response to a data breach. SkyMed also will be required to identify and document potential internal and external risks when it comes to safeguarding clients’ personal information it collects.

The company also must obtain an assessment once every other year of its information security program by a third-party approved by the FTC. SkyMed is also required to certify annually that the company is complying with the settlement.

The FTC voted 5-0 to finalize the agreement.

Contact Jonathan Ng at jng@reviewjournal.com. Follow @ByJonathanNg on Twitter.