A medical transcription service company's inadequate data security measures unfairly exposed the personal information of thousands of consumers on the open Internet, in some instances including consumers’ medical histories and examination notes, the Federal Trade Commission charged.
In its complaint against California-based GMR Transcription Services, Inc., the FTC alleges that GMR hired contractors to transcribe audio files received from the company’s customers. The contractors downloaded the files from the company’s network, transcribed them, and then uploaded transcripts back to the network. GMR then made the transcripts available to customers either directly or by e-mail.
Because of inadequate security, the complaint alleges, medical transcript files prepared between March 2011 and October 2011 by Fedtrans, GMR’s service provider, were indexed by a major internet search engine and were publicly available to anyone using the search engine. Some of the files contained notes from medical examinations of children and other highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse, and pregnancy loss.
The files handled by the company included sensitive information about consumers, including their driver’s license numbers, tax information, medical histories, notes from children’s medical examinations, medications and psychiatric notes, according to the FTC’s complaint.
According to the complaint, GMR’s privacy statements and policies promised that “materials going through our system are highly secure and are never divulged to anyone.” However, the company never required the individual typists it hired as contractors to implement security measures, such as installing anti-virus software.
In addition, an independent service provider GMR hired to transcribe medical files stored and transmitted the files in clear and readable text on a server that was configured so that they could be accessed online by anyone without authentication.
The FTC’s consent order with GMR marks the 50th data security case the Commission has settled since undertaking its data security program 12 years ago.