Imagine doing a routine online search and having the search engine serve up files that include medical histories, notes from psychiatric sessions and children’s medical exams, sensitive information about drug abuse or pregnancy loss, and personal data like Social Security and driver’s license numbers. That suggests a breach that “uh-oh” doesn’t begin to cover. The FTC’s lawsuit against GMR Transcription Services – the agency’s 50th settlement in a data security case – underscores the importance of safeguarding sensitive information regardless of whether the people working for you are across the hall, across town, or across the ocean.
GMR offers digital audio transcription services for academics, hospitals, government agencies, healthcare providers, and other companies. The files contain a lot of confidential stuff, including names, dates of birth, account numbers, and medical records. GMR assigns non-medical transcriptions to more than 100 independent typists in North America. For the three-year period at issue in the FTC’s complaint, GMR assigned all medical transcription to a service provider called Fedtrans Transcription Service, located in India. Fedtrans, in turn, reassigned the work to other independent typists.
GMR’s business runs almost entirely online. A customer logs in and uploads an audio file. The GMR typist then downloads the audio, creates a word processing document, and then uploads it back to the network. The customer gets an email with the transcript attached or a message to retrieve the file from the network. Medical transcription is handled the same way, but with Fedtrans acting as the intermediary between GMR and the typist.
Although we agree with GMR’s assessment, too bad the company didn’t follow its own advice – because according to the FTC complaint, GMR engaged in a number of practices that, when taken together, failed to protect personal information in the audios and transcribed files. The FTC says GMR’s service provider Fedtrans used a File Transfer Protocol (FTP) application that stored and transmitted files in clear, readable text. What’s more, the application was configured so that files could be accessed online without any authentication. That means that a major search engine was able to index thousands of medical transcript files Fedtrans completed for GMR, making them just a click away for people using the search engine. What’s particularly troubling, says the FTC, is that GMR could have corrected these failures by using readily available, low-cost security measures.
It’s worth taking a closer look at what GMR did (and didn’t do) that the FTC said failed to provide reasonable and appropriate security. According to the complaint, GMR didn’t make typists take basic steps like installing anti-virus software. In addition, the FTC says GMR didn’t require Fedtrans to use appropriate measures to protect the medical files – like making sure they were secure when stored or sent to the typists (for example, through encryption) or having typists enter user credentials before accessing the files. The lawsuit also alleges that GMR didn’t monitor what Fedtrans was doing to protect the highly sensitive information in its possession. Taken together, the FTC says that GMR’s course of conduct violated Section 5.
To settle the lawsuit, GMR has agreed to put a comprehensive information security program in place that’s appropriate to its size, the nature of what it does, and the sensitivity of the information. For example, GMR will:
- Name an employee who will be accountable for the program.
- Identify inside and outside risks.
- Put safeguards in place to control those risks and regularly test key systems and procedures.
- Use reasonable steps to choose service providers up to the task and put into the contact that they have to honor those standards.
- Keep its finger on the pulse by adjusting their security program as things change.
This is no “one and done” obligation. The order requires GMR to bring in an expert every other year for 20 years to assess and certify its program.
The message for businesess: Keep your own house in order, for sure. But it's also important to have procedures in place to monitor what your service providers are doing on your behalf. If they seem iffy about living up to your high standards, part company and find someone who will.