The data breach nightmare: Thousands of medical transcripts, including medical histories of children and adults, doctors’ and psychiatrists’ notes, and information such as pregnancy loss, alcohol and drug use, are publicly available online through a major search engine because you failed to require your contractor transcribing the information to take basic data security precautions.

The Federal Trade Commission’s lawsuit against GMR Transcription Services and its two owners (In the Matter of GMR Transcription Services, Inc., Ajay Prasad, and Shreekant Srivastava, File No. 122 3095) for the data breach described above emphasizes the importance of imposing appropriate safeguards on vendors with access to consumers’ personal information and confirming the safeguards are employed. The FTC has proposed to settle this lawsuit with a consent order that would impose improved data security practices, monitoring and reporting obligations on GMR for 20 years. The settlement marks the FTC’s 50th settlement of a data security case since 2002, when it began its data security enforcement initiative. The settlement is also a reminder to healthcare providers and other entities subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy rules that they face double scrutiny with respect to their vendors’ security practices, from both the FTC and the Department of Health and Human Services.

GMR transcribes audio files from assorted industries, including healthcare, telecom and financial services. The files contain sensitive information such as names, birth dates, addresses, social security numbers, and other personal information like medical records. GMR contracted all of the medical transcription at issue in this matter to Fedtrans Transcription Services, a contractor in India, and Fedtrans further subcontracted it to independent typists.

The transcription service is almost entirely online. A typist downloads files uploaded online by a customer, transcribes them to a written document, then uploads the transcript back to GMR’s or Fedtrans’ network, as applicable. Customers receive the completed transcript by email or receive notice it is complete and ready for download.

Fedtrans’ “File Transfer Protocol” used to store medical audio files and resulting transcripts and transmit them between its network and typists was configured so that such data could be accessed online by anyone. No typist authentication was required to retrieve files and the files and transcripts were stored and transmitted in clear readable text (sans encryption). The FTC’s complaint alleges that a major search engine accessed and made publicly available thousands of medical transcripts that had been prepared by Fedtrans over 8 months during 2011.

Takeaways: The FTC believes that the Fedtrans incident could have been prevented had GMR taken steps to require reasonable security by its subcontractor, and GMR’s failure to do so is an unfair or deceptive trade practice under Section 5 of the FTC Act. GMR did not but should have: (1) contractually required Fedtrans to employ data security measures, such as securely storing and transmitting medical files (i.e., via encryption), requiring typists to verify their identity prior to accessing files, and requiring typists to use anti-virus software; and (2) assessed Fedtrans’ implementation of security measures, for example, by reviewing its written security plan or audits of its computer network.

As part of the consent order, GMR is required to implement a security program appropriate to the sensitivity of the information it handles, which would include monitoring what its contractors do on its behalf. GMR is also precluded from misrepresenting its data security, and by extension, that of its contractors. The FTC’s complaint alleges that GMR held itself out as a “HIPAA Compliant Medical Transcription Service” and overpromised customers “You can be assured that the materials going through our system are highly secure and are never divulged to anyone.”

The consent order is subject to public comment through March 3, 2014, pending which the FTC will either finalize the order or withdraw it and pursue other action against GMR, such as continuing the lawsuit. In any event, the FTC’s message to businesses is clear: take care with vendors who handle sensitive information on your behalf, including overseas contractors.

Contact Information

If you have any questions regarding this matter or your data security practices, please contact Nadia Aram, the principal author of this alert, or you may contact the Womble Carlyle attorney with whom you normally work or one of the attorneys on our Privacy and Data Protection Team.

Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice regarding any specific facts and circumstances, nor should they be construed as advertisements for legal services.

IRS Circular 230 Notice: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this communication (or in any attachment) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this communication (or in any attachment).