When a Business Doesn’t Protect Your Information
Say someone searched your name online. What do you think they’d find? What if some clicking brought them to things like your medical history, notes from psychiatric sessions or kids’ medical exams, or your Social Security and driver’s license number?
If you don’t like the sound of that, you might be interested to know that the FTC has announced a settlement with GMR Transcription Services, a company that promised “Security Measures to Protect Your Confidentiality,” for failing to protect personal information.
GMR is a digital audio transcription service that allows customers — including health care providers — to upload audio files and get them transcribed. The business runs almost entirely online with a typist downloading a file, typing up a transcript, then uploading the transcript for the customer to pick up or get in an email. According to the FTC, the service GMR used for medical files — Fedtrans — stored and sent files in clear, readable text, and allowed files to be accessed online without any authentication. What’s more, the FTC says, GMR didn’t make typists take basic steps like installing anti-virus software or requiring Fedtrans to use tools like encryption to protect the files.
Going forward GMR has agreed to put a comprehensive information security program in place.