Many businesses pride themselves on meaning what they say, and saying what they mean. Other businesses get fined by regulators. On December 16, 2020, SkyMed settled with the Federal Trade Commission (FTC) over a deceptive business practice charge, in this case a false HIPAA compliance claim.

False HIPAA Compliance Claim

The FTC in its complaint against SkyMed – was plastering a “We are Compliant” seal on a website, without any proof of their satisfying the requirements of HIPAA compliance.  

Unfortunately, the high failure rate of the Office for Civil Rights (OCR) audits highlights the risk of organizations that make such false claims, but fail to have the documentation and an expert third party’s verification and validation of their efforts. It is insufficient to say you are complying  with HIPAA. You must be able to prove your compliance efforts.

What Did SkyMed Do Wrong?

According to the FTC’s website, “Nevada-based [SkyMed] failed to take reasonable measures to secure the personal information it collected from people who had signed up for its emergency travel membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records. The unsecured database, exposed by a security researcher, could be located and accessed by anyone on the Internet and contained personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers, according to the complaint.”

Avoid HIPAA fines by becoming HIPAA compliant today!

The FTC complaint continues, “SkyMed deceived consumers by displaying a “HIPAA Compliance” seal on its website, which gave the impression that its policies and procedures had been reviewed and met the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.”

After being informed of the exposed database, SkyMed notified current and former plan holders that it had investigated the breach and found “there was no medical or payment-related information visible and no indication that the information has been misused.” [However], SkyMed failed to examine the actual information stored on the database, identify affected consumers, and investigate whether any other unauthorized users had accessed the database. Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database, which prevented any further forensic analysis or investigation. 

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

How Did a Seal Figure Into It?

The FTC concluded that SkyMed’s unverified display of a “HIPAA Compliance” seal gave a false impression that the organization was compliant, and that patient data was being adequately protected. 

The FTC further stated, “In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.” 

SkyMed failed to protect consumer information and conduct a security risk assessment. On top of this, SkyMed, after being informed that the data was unsecured, lied to – deceived – planholders about having conducted a breach investigation.

After reading to this point, what would you guess is the moral of the SkyMed story? 

Making an unsubstantiated claim of your compliance is Lying. Lying is bad?

Falling to safeguard customer data is wrong?

Cheating customers is wrong? 

Customer security should not be left in the wrong hands? 

Reasonable conclusions, all.

So What is the Real Lesson Learned by the SkyMed Case?

That utilizing a third party to verify and validate your efforts is the smart, safe and correct thing to do!

Had SkyMed brought in the right third party company, it would have been as simple as ABCs:

  1. The third party would have reviewed the risk assessment with SkyMed, identified the gaps, giving SkyMed the ability to close them. SkyMed’s gaps would have been closed, preventing a breach altogether. 
  2. Had a breach occurred, the fines would have been less severe had SkyMed worked with a third party to ensure that all technical gaps were identified and closed.
  3. The “HIPAA Compliance” seal would not have been a deceptive claim. It would have been proof of SkyMed’s compliance efforts. Had a third party verified and validated SkyMed’s compliance efforts, SkyMed would have had the documentation to prove its good faith effort to satisfy the law.

The SkyMed enforcement is the ideal example of the importance of working with MSPs and MSSPs as security and compliance experts to provide third party verification and validation of a company’s efforts to satisfy a regulation.