Pact With Medical Transcript Company Is FTC's 50th Data Security Settlement

Jan. 31 --A medical transcription company has agreed to settle Federal Trade Commission administrative charges that it failed to reasonably and appropriately secure consumers' personal information despite promises in its privacy policies that it would do so, the FTC announced Jan. 31 (In re GMR Transcription Servs., Inc., FTC, File No. 122 3095, proposed consent order 1/31/14).

The “inadequate data security measures” of Tustin, Calif.-based GMR Transcription Services Inc., along with its president and vice president, “unfairly exposed the personal information of thousands of consumers on the open Internet, in some instances including consumers' medical histories and examination notes,” the FTC said in a statement announcing the pact.

The settlement marks the commission's 50th data security case it has settled since it initiated its data security program 12 years ago, the FTC added.

“What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into a vital enforcement program that has helped to increase protections for consumers and has encouraged companies to make safeguarding consumer data a priority,” the FTC said in a separate statement marking the 50th data security settlement.

The FTC's ability to bring enforcement actions against companies for lax data security under Section 5 of the FTC Act, 15 U.S.C. § 45, is currently being challenged in several federal lawsuits, one involving cancer detection services company LabMD Inc. and another involving hotelier Wyndham Worldwide Corp.

In a separate administrative action involving LabMD, the FTC Jan. 16 rejected LabMD's arguments that the commission lacks the authority to take enforcement action against it under Section 5 because the company is a covered entity under the Health Insurance Portability and Accountability Act.

Information Publicly Available

According to the FTC's proposed complaint against GMR, the respondents failed to require the typists that it hired as contractors to adopt data security measures like anti-virus programs.

The respondents also failed to verify that their service provider, Fedtrans Transcription Services Inc., properly secured consumers' personal information in audio and transcript files, the FTC said. An application used by Fedtrans stored and transmitted medical audio and transcript files in clear, readable text and made those files accessible online, according to the complaint. Thousands of medical transcript files were allegedly made publicly available through a major search engine.

The Fedtrans files included personal information such as names, dates of birth, medical information and employment information, according to the complaint. Some files allegedly included children's examination notes and very sensitive medical information such as mental health and alcohol use information.

“Respondents could have corrected their security failures using readily available, low-cost security measures,” the FTC said.

Proposed Settlement Terms

The FTC alleged that the respondents' practices were false or misleading and constitute unfair or deceptive acts or practices under Section 5 of the FTC Act.

The proposed consent order would prohibit GMR and its owners from misrepresenting the extent to which they protect consumers' personal information. It would also require the respondents to implement a comprehensive information security program and obtain initial and biennial assessments and reports by a third party covering their security programs.

The FTC said it is accepting comments on the proposed consent order through March 3. The FTC released an analysis of the proposed settlement to aid public comment.

Alain Sheer and Kandi Parsons of the FTC, in Washington, represented the commission. Barry Coburn of Coburn & Greenbaum PLLC, in Washington, represented GMR.

'Touchstone' Is Reasonableness

The FTC's statement marking its 50th data security settlement provides insight on its view of its ability to bring data security enforcement actions.

“The touchstone of the Commission's approach to data security is reasonableness: a company's data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities,” the FTC said.

“Through its settlements, testimony, and public statements, the Commission has made clear that it does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law,” the commission added.

In the statement the FTC also outlined several basic principles of a data security program, including that companies: know what consumer information they possess and who has access to it; limit the information they collect and retain based on their business needs; protect the information they have; properly dispose of information; and maintain a plan to respond to security incidents.


Links to the FTC's proposed consent order, proposed complaint and analysis to aid public comment are available at http://www.ftc.gov/enforcement/cases-and-proceedings/cases/122-3095/gmr-transcription-services-inc-matter.

The “Commission Statement Marking the FTC's 50th Data Security Settlement” is available at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.