Many businesses pride themselves on meaning what they say, and saying what they mean. Other businesses get fined by regulators. On December 16, 2020, SkyMed settled with the Federal Trade Commission (FTC) over a deceptive business practice charge, in this case a false HIPAA compliance claim.

False HIPAA Compliance Claim

The FTC in its complaint against SkyMed – was plastering a “We are Compliant” seal on a website, without any proof of their satisfying the requirements of HIPAA compliance.  

Unfortunately, the high failure rate of the Office for Civil Rights (OCR) audits highlights the risk of organizations that make such false claims, but fail to have the documentation and an expert third party’s verification and validation of their efforts. It is insufficient to say you are complying  with HIPAA. You must be able to prove your compliance efforts.

What Did SkyMed Do Wrong?

According to the FTC’s website, “Nevada-based [SkyMed] failed to take reasonable measures to secure the personal information it collected from people who had signed up for its emergency travel membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records. The unsecured database, exposed by a security researcher, could be located and accessed by anyone on the Internet and contained personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers, according to the complaint.”

Avoid HIPAA fines by becoming HIPAA compliant today!

The FTC complaint continues, “SkyMed deceived consumers by displaying a “HIPAA Compliance” seal on its website, which gave the impression that its policies and procedures had been reviewed and met the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.”

After being informed of the exposed database, SkyMed notified current and former plan holders that it had investigated the breach and found “there was no medical or payment-related information visible and no indication that the information has been misused.” [However], SkyMed failed to examine the actual information stored on the database, identify affected consumers, and investigate whether any other unauthorized users had accessed the database. Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database, which prevented any further forensic analysis or investigation. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

How Did a Seal Figure Into It?

The FTC concluded that SkyMed’s unverified display of a “HIPAA Compliance” seal gave a false impression that the organization was compliant, and that patient data was being adequately protected. 

The FTC further stated, “In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.” 

SkyMed failed to protect consumer information and conduct a security risk assessment. On top of this, SkyMed, after being informed that the data was unsecured, lied to – deceived – planholders about having conducted a breach investigation.

After reading to this point, what would you guess is the moral of the SkyMed story? 

Making an unsubstantiated claim of your compliance is Lying. Lying is bad?

Falling to