On January 31, 2014, the Federal Trade Commission announced a settlement with GMR Transcription Services, Inc. (“GMR”) stemming from allegations that GMR’s failure to provide reasonable security allowed certain patients’ medical transcripts to be exposed to the public on the Internet. The FTC issued an accompanying press release stating it was the FTC’s 50th data security settlement.

GMR provides audio transcription services for businesses in various sectors, including health care providers. GMR typically uses vendors to transcribe the audio file into text. In its complaint, the FTC alleged that GMR failed to ensure that a particular overseas vendor who provided medical transcription services provided adequate security for the text documents it created. Specifically, the FTC alleged that GMR failed to (1) require the vendor via contract to adopt and implement reasonable security measures to protect personal information, and (2) assess and verify whether the vendor employed adequate security measures to protect personal information. As a result of GMR’s deficient security practices, the complaint charged that patients’ medical transcripts, which included their names, Social Security numbers and medical and psychological health information, were available on the Internet.

The settlement, which terminates 20 years from its issuance, includes requirements that GMR:

  • establish, implement and maintain a comprehensive information security program;
  • obtain biennial assessments of its information security program from an independent third-party auditor;
  • maintain, and submit to the FTC upon request, all information relied on to complete the biennial assessments of its information security program for three years and all documents related to its compliance with the settlement for five years;
  • deliver copies, and obtain signed acknowledgements, of the settlement to current and future GMR principals, officers, directors, employees and agents;
  • submit a report to the FTC detailing the manner and form of GMR’s compliance with the settlement.

In the FTC’s accompanying statement, the FTC said that “What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into a vital enforcement program that has helped to increase protections for consumers and has encouraged companies to make safeguarding consumer data a priority.”