FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

GMR retained Fedtrans, located in India, to transcribe medical audio recordings. According to the FTC’s complaint, Fedtrans used a file transfer protocol (FTP) application to store medical audio and transcript files on its computer network and transmit the files between the network and its typists. The application allegedly stored and transmitted files in clear readable text and was configured so that the files could be accessed online by anyone without authentication. As a result, the files became indexed by search engines, permitting anyone to see the transcribed files through a normal search query. The files contained highly sensitive health information.

The FTC alleges that GMR touted its security to customers but failed to contractually require Fedtrans to adopt and implement appropriate security measures and failed to appropriately monitor Fedtrans’ security practices. The FTC alleged that GMR’s conduct represents a deceptive trade practice. This constitutes a more aggressive position than we have seen from HHS, which requires that health care entities obtain business associate contracts from contractors who handle protected health information, but has not indicated that it would hold entities responsible for a contractor’s lack of security except under limited circumstances when the contractor qualifies as an “agent.”

Not only is this settlement the FTC’s 50th information security settlement, but it also is the fifth health information security action. While the FTC cannot directly bring civil monetary penalties under the FTC Act, its standard practice is to enter into a consent order seeking 20 years of monitoring—and violations of the consent orders can result in financial penalties. Besides this consent order, the FTC also has reached 20-year consent orders with two pharmacy chains for improper disposal of prescription information and with a health care revenue management company for a stolen unencrypted laptop. The FTC’s fifth complaint was against LabMD, who refused to settle and challenged FTC’s authority to bring actions with respect to health information security. LabMD recently announced that it has decided to wind down operations due to its costly challenge to the FTC’s complaint.

Like it or not, the FTC has made clear that it regulates health information security and is not bound by HIPAA in assessing what it considers reasonable and appropriate. Health care entities, including HIPAA covered entities and business associates, face double scrutiny and may want to consider:

• Reviewing their vendor due diligence process, especially with respect to overseas contractors;
• Revisiting whether vendor contracts appropriately hold vendors accountable for maintaining reasonable information security; and
• Verifying whether they have adequately documented the reasonableness of their vendors’ information security.