On January 31, the Federal Trade Commission (FTC) announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.
GMR contracted with Fedtrans Transcription Services, a service provider located in India, to transcribe audio files that could include patients’ identifying information (e.g., names, Social Security numbers), tax information, medical histories, medications, medical examination notes, and psychiatric notes. The audio files were downloaded by Fedtrans from GMR’s network, transcribed, and the transcriptions uploaded back onto the network. In 2011, files prepared by Fedtrans became publicly available and indexed by a major search engine when Fedtrans employed the use of a File Transfer Protocol (FTP) application that stored and transmitted files in cleartext (i.e., unencrypted) and did not require authentication for access.
The FTC alleged that GMR failed to ensure that Fedtrans “implemented reasonable and appropriate security measure to protect personal information,” stating that, for example, GMR did not:
- “require Fedtrans by contract to adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted to typists (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to such files”; and
- “take adequate measures to monitor and assess whether Fedtrans employed measures to appropriately protect personal information under the circumstances. Respondents did not request or review relevant information about Fedtrans’ security practices, such as, for example, Fedtrans’ written information security program or audits or assessments Fedtrans may have had of its computer network.”
GMR had previously assured its customers that information provided to the company was highly protected and secure, and that its transcription services were HIPAA compliant. According to the FTC complaint, however, GMR did not take reasonable measures to ensure that its contractors were held to these standards and thus its assurances of security were deceptive. As a result, files were stored and transmitted without reasonable security measures in place, resulting in their public availability and access.
The FTC’s settlement agreement requires GMR and its owners to take steps to establish, implement, and maintain a comprehensive information security program that is fully documented. GMR further agreed to an initial and biennial security assessment for the next twenty years. Additionally, GMR is prohibited from misrepresenting to consumers how it protects their personal information.
This consent agreement represents the FTC’s 50th data security settlement since it began its data security–related enforcement efforts in 2002. The FTC released a statement marking the milestone and acknowledging the continuing growth of its enforcement program, which notes that “the touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”
The GMR settlement signals that the FTC will hold companies to a high bar with regard to third-party vendor management and oversight, and also reflects the FTC’s continuing willingness to bring enforcement actions against healthcare companies. HIPAA-regulated entities are now on notice that the FTC’s standard on this issue may exceed that imposed by the Department of Health and Human Services (HHS) in enforcing HIPAA. The settlement serves as a reminder that all companies handling personal information need to establish reasonable and appropriate security expectations for their vendors when contracting, as well as put in place means for continued vendor management and oversight (e.g., by imposing audit requirements or a right of inspection).
Madeline Gitomer, an associate in our Washington office, contributed to this entry.