The timing was off for OCR action on this complaint, however. The massive, 563-page omnibus privacy rule spelling out the new ARRA requirements wasn't released until Jan. 17. 2013, did not become effective until March 26, and was not enforceable until Sept. 23 last year, long after the breaches covered by the complaint occurred.
The complaint was filed against GMR Transcription Services, and individual owners and officers of the Tustin, Calif.-based company, GMR President Ajay Prasad and Vice President Shreekant Srivastava, alleging GMR made “false or misleading” representations about its data privacy and security policies, which “constitutes a deceptive act or practice” in violation of the Federal Trade Commission Act.
It alleges GMR hired contractors who downloaded audio files over the company's network, transcribed them and transmitted back via the network to the company. GMR would then make the transcriptions available to its customers either by direct transfer or by e-mail.
Between March and October 2011, the files prepared by Fedtrans, GMR's India-based service provider for medical transcriptions, “were indexed by a major internet search engine and were publicly available to anyone using the search engine,” according to the settlement document and a FTC news release.
Fedtrans assigned the work to “independent typists” to transcribe, the agreement said, but GMR failed to require Fedtrans by contract “to adopt and implement appropriate security measures” such as requiring that the files be securely stored and encrypted when transmitted and ensuring that only transcriptionists with adequate credentials were able to access the files.
Some of those exposed records included “notes from medical examinations of children and other highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse and pregnancy loss.” In addition to hospitals and other healthcare providers, the company's customers include university students and faculty; “well known corporations,” including retailers, insurers, telecom and financial service providers and government agencies, the complaint said.
Neither GMR nor the two owners paid fines or monetary settlement amounts, but agreed to a number of steps to improve and verify their data security practices. Among these: agreeing to provide the FTC with an independent security assessment every two years for the life of the 20-year agreement.
The agreement was approved by a 4-0 vote of the commission and is subject to public comment through March 3, after which the commission will consider making the consent order final.
Follow Joseph Conn on Twitter: @MHJConn