EPN, Inc.

Under Review: 
No Review
Date Breach Made Public: 
June 9, 2012
Provo , UT
United States
Utah US
Records Breached: 


Breach Total Number: 
3 800
Year of Breach: 
Type of organization: 
Type of breach: 

The FTC has fined EPN, Inc. for failing to implement reasonable security measures. The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.  The FTC claims that this failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.  EPN's chief operating office installed peer-to-peer file-sharing software on EPN's computer system and left patient information vulnerable to unauthorized access. Hospital patient Social Security numbers, health insurance numbers, and medical diagnosis codes were accessible on any computer connected to the peer-to-peer network.  EPN was barred from misrepresenting the privacy, security, confidentiality, and integrity of personal information they collected.  EPN was also required to undergo data security audits and establish and maintain a comprehensive information security program.