It’s also why the company at fault — a medical transcription service — has agreed to settle Federal Trade Commission charges that its inadequate data-security measures unfairly exposed the personal information of thousands of consumers on the open Internet, in some instances including consumers’ medical histories and examination notes.
In its complaint against California-based GMR Transcription Services, Inc. and the company’s two principal owners, the FTC alleges that GMR hired contractors to transcribe audio files received from the company’s customers. The contractors downloaded the files from the company’s network, transcribed them, and then uploaded transcripts back to the network. GMR then made the transcripts available to customers either directly or by email.
But here’s where things get sticky. The FTC says that due to inadequate security, the patients’ private medical records were indexed by a major Internet search engine and were publicly available to anyone using the search engine. Some of the files contained notes from medical examinations of children and other highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse, pregnancy loss, tax information, medical histories, and driver’s license numbers.
According to the complaint, the company never required the individual typists it hired as contractors to implement security measures, such as installing antivirus software. In addition, the medical files were stored and transmitted in clear, readable text on a server that was configured so that they could be accessed online by anyone without authentication.
Makes you never want to visit the doctor ever again, or at least dig up the number to your grandmother’s old-fashioned doctor who likely is still using paper charts. But that’s probably a pipe dream thanks to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The premise behind the federal HITECH Act means that doctors, healthcare professionals, and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified electronic health record (EHR) technology. More than 120,000 eligible health care professionals and more than 3,300 hospitals have qualified to participate in the program and receive an incentive payment since it began in January 2011.