The Federal Trade Commission (FTC) has finalized a settlement which resolves data security charges against a California provider of medical transcription services.

GMR Transcription Services was accused of “deceptive and unfair information security practices,” when the FTC filed a complaint (PDF) saying that medical information belonging to thousands of consumers was exposed online by the company. Transcribed information provided by healthcare professionals was publicly available via major search engines, a Thursday release from the FTC explained.

Under the settlement, GMR and its owners, Ajay Prasad and Shreekant Srivastava, are barred from misrepresenting their privacy and security practices to consumers. The company must also create a comprehensive information security program, which will be evaluated by a third-party every two years.

GMR must abide by the terms of the settlement for two decades, the FTC said.