A follow-up on a breach case previously reported on this site. From the FTC:
Following a public comment period, the Federal Trade Commission has approved a final order resolving FTC allegations that GMR Transcription Services, Inc., engaged in deceptive and unfair information security practices that exposed the personal information of thousands of consumers online, in some instances including consumers’ medical histories and examination notes. The settlement was first announced by the Commission in January.
In its complaint, the agency alleged that GMR’s data security practices were inadequate and resulted in transcriptions of audio files provided by GMR’s customers being indexed by a major search engine and made publicly available to anyone using the search engine.
Under the settlement, GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information. They also must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers. In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.
The Commission vote approving the final order and letters to members of the public was 5-0. (FTC File No. 122-3095, the staff contacts in the Bureau of Consumer Protection are Alain Sheer, 202-326-3321, and Kandi Parsons, 202-326-2369.)
And I still don’t understand why this never showed up on HHS’s public breach tool. GMR is headquartered in California.