Many businesses pride themselves on meaning what they say, and saying what they mean. Other businesses get fined by regulators. On December 16, 2020, SkyMed settled with the Federal Trade Commission (FTC) over a deceptive business practice charge, in this case a false HIPAA compliance claim.
The FTC in its complaint against SkyMed – was plastering a “We are Compliant” seal on a website, without any proof of their satisfying the requirements of HIPAA compliance.
Unfortunately, the high failure rate of the Office for Civil Rights (OCR) audits highlights the risk of organizations that make such false claims, but fail to have the documentation and an expert third party’s verification and validation of their efforts. It is insufficient to say you are complying with HIPAA. You must be able to prove your compliance efforts.
What Did SkyMed Do Wrong?
According to the FTC’s website, “Nevada-based [SkyMed] failed to take reasonable measures to secure the personal information it collected from people who had signed up for its emergency travel membership plan, and as a result, the company left unsecured a cloud database containing 130,000 membership records. The unsecured database, exposed by a security researcher, could be located and accessed by anyone on the Internet and contained personal information stored in plain text such as names, dates of birth, home addresses, health information, and membership account numbers, according to the complaint.”
Avoid HIPAA fines by becoming HIPAA compliant today!
The FTC complaint continues, “SkyMed deceived consumers by displaying a “HIPAA Compliance” seal on its website, which gave the impression that its policies and procedures had been reviewed and met the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.”
After being informed of the exposed database, SkyMed notified current and former plan holders that it had investigated the breach and found “there was no medical or payment-related information visible and no indication that the information has been misused.” [However], SkyMed failed to examine the actual information stored on the database, identify affected consumers, and investigate whether any other unauthorized users had accessed the database. Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database, which prevented any further forensic analysis or investigation.
How Did a Seal Figure Into It?
The FTC concluded that SkyMed’s unverified display of a “HIPAA Compliance” seal gave a false impression that the organization was compliant, and that patient data was being adequately protected.
The FTC further stated, “In fact, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.”
SkyMed failed to protect consumer information and conduct a security risk assessment. On top of this, SkyMed, after being informed that the data was unsecured, lied to – deceived – planholders about having conducted a breach investigation.
After reading to this point, what would you guess is the moral of the SkyMed story?
Making an unsubstantiated claim of your compliance is Lying. Lying is bad?
Falling to safeguard customer data is wrong?
Cheating customers is wrong?
Customer security should not be left in the wrong hands?
Reasonable conclusions, all.
So What is the Real Lesson Learned by the SkyMed Case?
That utilizing a third party to verify and validate your efforts is the smart, safe and correct thing to do!
Had SkyMed brought in the right third party company, it would have been as simple as ABCs:
- The third party would have reviewed the risk assessment with SkyMed, identified the gaps, giving SkyMed the ability to close them. SkyMed’s gaps would have been closed, preventing a breach altogether.
- Had a breach occurred, the fines would have been less severe had SkyMed worked with a third party to ensure that all technical gaps were identified and closed.
- The “HIPAA Compliance” seal would not have been a deceptive claim. It would have been proof of SkyMed’s compliance efforts. Had a third party verified and validated SkyMed’s compliance efforts, SkyMed would have had the documentation to prove its good faith effort to satisfy the law.
The SkyMed enforcement is the ideal example of the importance of working with MSPs and MSSPs as security and compliance experts to provide third party verification and validation of a company’s efforts to satisfy a regulation.
SkyMed’s failure validates the entire value proposition of MSPs, MSSPs, and the concept of using technology solutions to Achieve, Illustrate, and Maintain your efforts.
The Seal of Compliance is fundamental in justifying all of our efforts to protect our clients. Without the concept of a third party validation (seal), MSPs’ MRR business models would all fail – ultimately leaving clients vulnerable to breaches and threats. By hiring Compliancy Group to perform third party verification and validation, you and your healthcare clients are protected. With peace of mind. As we enter into a new decade and a new regulatory landscape, you can’t afford less.
