DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Debt collection firm exposed patient data on P2P network – FTC

Posted on June 9, 2012 by Dissent

An FTC action over P2P file-sharing involves a debt collection firm for hospitals where the P2P issue allowed patient data to be exposed:

The FTC has charged two businesses [complaint 1 | complaint 2] with illegally exposing the sensitive personal information of thousands of consumers by allowing peer to peer file-sharing software to be installed on their corporate computer systems.  Settlements with the debt collection business and auto dealer will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information.  Both companies must establish and maintain comprehensive information security programs.

P2P technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But the FTC has found that P2P software can pose significant data security risks. A 2010 FTC examination of P2P-related breaches uncovered a wide range of sensitive consumer data available on P2P networks, including health-related information, financial records, and driver’s license and social security numbers. Files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. Generally, a file that has been shared cannot be permanently removed from the P2P network. In addition, files can be shared among computers long after they have been deleted from the original source computer.

The FTC alleged that EPN, Inc., a debt collector based in Provo, Utah whose clients have included healthcare providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks. As a result of these failures, EPN’s chief operating officer was able to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.

The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, such as scanning its networks to identify any P2P file-sharing applications operating on them, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks. According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.

The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, of Statesboro, Georgia, compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information. Because Franklin is a financial institution, the alleged security failures violated the Gramm-Leach-Bliley (GLB) Safeguards Rule as well as Section 5 of the FTC Act. Franklin also allegedly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties, in violation of the GLB Privacy Rule. This is the FTC first action against an auto dealer charging GLB violations.

The settlement agreement with Franklin will bar misrepresentations about the privacy, security, confidentiality, and integrity of personal information collected from consumers. It bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. Under the settlement, Franklin Auto must also establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 5-0. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 9, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

Comments in electronic form should be submitted using the following links:

  • Comment on EPN, Inc.
  • Comment on Franklin’s Budget Car Sales, Inc. or Franklin Toyota/Scion

Comments in paper form should be mailed or delivered to Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Source: FTC

Related posts:

  • Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases
  • FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
  • FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies
Category: Health Data

Post navigation

← AU: Patient records in the gutter
Potential class action targets Emory Healthcare over patient data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.