FTC Announces Settlement with SkyMed for Misrepresenting HIPAA Compliance, Data Breach

On Wednesday, the Federal Trade Commission (FTC) posted a notice of settlement against SkyMed International Inc. The original complaint was brought before the FTC directly regarding the business practices of SkyMed. The complaint included one count of misrepresentation in advertising Health Insurance Portability and Accountability Act (HIPAA) compliance and two counts regarding its business practices in protecting materials falling under the HIPAA regulations.

SkyMed provided medical transportation services and tailored insurance policies regarding such services, the notice said. In advertising for these services, SkyMed included several seals regarding compliance, including seals from customer protection agencies, such as the Better Business Bureau. In that same section of the website, SkyMed included a stylized HIPAA seal, giving the implication that the website had been evaluated and approved by an entity that regulates HIPAA. As there is no such federal or accredited third party entity, the FTC alleged this inclusion was a fraudulent misrepresentation.

Also as a part of the insurance application process, SkyMed required HIPAA protected information regarding the identity of the insureds and their medical condition. However, the FTC alleged that SkyMed had had poor standards, training, risk assessment, policies, and other business practices relating to the storage of this personal information. This culminated in the defendant’s database of this information being stored in a program that provided direct access with no security information on the internet. Thus, this provided access to the general public. In addition to allowing this material to become accessible, upon discovery that it was visible in this manner, SkyMed took no actions to investigate the situation and merely deleted the database. Upon disclosing to their customers that the breach had occurred, SkyMed indicated that there was no access to the information by third parties, a claim that could not be substantiated as SkyMed had performed no investigation prior to deleting the information.

In the proposed settlement, SkyMed was prohibited from advertising its compliance with HIPAA in a manner that implied a certification status. SkyMed was also required to implement training, policies, audits, and business practices to meet HIPAA obligations regarding personal information that is currently within its control and information collected in the future. This includes biennial assessments of information security protocols by a third party approved by the FTC. SkyMed is also required to provide adequate notices to its clients and to work to properly evaluate any future breaches.

The complaint was brought by April Tabor, Acting Secretary of the FTC.