The FTC settled a claim brought against a company (GMR Transcription Services) that provides medical transcription services and was charged that its inadequate data security measures unfairly exposed the personal information of thousands of consumers on the open Internet, in some cases including their medical histories and examination notes.
The complaint alleged that because of inadequate security, medical transcript files were indexed by a major internet search engine and were publicly available to anyone using the search engine. Some of the files contained notes from medical examinations of children and other highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse, and pregnancy loss.
The FTC used this opportunity to mark the 50th data security case the FTC has settled since undertaking its data security program and to stress the importance it sees in ensuring adequate security measures when treating personal data of customers.
Another data security case recently settled by the FTC is with the electronics company TRENDnet. The FTC’s complaint alleged that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring and claimed in numerous product descriptions that they were “secure.” The cameras, in fact, had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.
TRENDnet is required under the settlement, among other requirements, to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company is also required to obtain third-party assessments of its security programs every two years for the next 20 years.