On December 16, 2025, the Federal Trade Commission (FTC) announced action against Utah-based Illusory Systems Inc., which does business as Nomad, for failing to implement adequate data security measures.
What happened
The FTC alleged that Nomad’s security failures allowed hackers to exploit a coding vulnerability introduced in June 2022, resulting in the theft of $186 million from consumers. The Commission, under Director Christopher Mufarrige of the Bureau of Consumer Protection, filed an administrative complaint and proposed a consent order requiring Nomad to implement a comprehensive information security program, obtain biennial assessments by an independent third party, and return recovered funds to affected consumers.
The complaint, led by FTC staff attorneys M. Hasan Aijaz and Julia Horwitz, also prohibits Nomad from making misrepresentations about its security practices. The proposed order is subject to a 30-day public comment period after publication in the Federal Register, after which the Commission will decide whether to finalize it.
The backstory
In June 2022, Utah-based Illusory Systems Inc., which operates under the name Nomad, introduced inadequately tested software code containing a security vulnerability.
Just over a month later, hackers began exploiting this flaw, leading to the theft of consumers’ net losses of over $100 million. The FTC alleged that Nomad failed to implement secure coding practices, respond promptly to vulnerability reports, or utilize widely known technologies that could have mitigated losses.
What was said
In the press release, Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, “The FTC Act requires companies to take reasonable security measures. It’s important that companies live up to their security promises to consumers.”
Why it matters
The FTC’s action against Nomad shows the need for strong data security. Even companies not covered by HIPAA, such as digital health apps, third-party vendors, and personal health record services, can face serious consequences if they fail to protect consumer data or make misleading claims about security.
According to the FTC’s report on their actions in healthcare, “The Federal Trade Commission sued the health information technology company Surescripts, alleging that the company employed illegal vertical and horizontal restraints to maintain its monopolies over two electronic prescribing, or “e-prescribing,” markets: routing and eligibility, which transmit prescriptions to pharmacies and determine a patients’ eligibility for prescription coverage."
The FTC expects organizations to implement reasonable security measures, respond promptly to vulnerabilities, and be transparent about their security practices. Failure to meet these standards can lead to enforcement actions, mandatory security programs, independent audits, and financial restitution to affected consumers. For healthcare organizations, Nomad’s case shows that the FTC is actively monitoring how companies handle sensitive health information.
FAQs
What authority does the FTC have over data security?
The FTC can enforce the FTC Act, which prohibits unfair or deceptive practices, including failing to implement reasonable data security measures.
Can the FTC take action against healthcare companies not covered by HIPAA?
Yes. The FTC can regulate any company handling consumer health information, even if HIPAA does not apply, such as health apps or third-party service providers.
What remedies can the FTC require from companies it enforces against?
The FTC can require companies to implement comprehensive security programs, undergo independent audits, return funds to affected consumers, and prohibit false claims about security practices.
Kirsten Peremore
