FTC Reverses ALJ Decision on LabMD Data Security Case

Last year, an Administrative Law Judge (ALJ) dismissed a data security case filed against the medical testing laboratory LabMD Inc., by the Federal Trade Commission (FTC). On Friday last week, the FTC announced that the decision has been overturned and LabMD is liable for unfair data security practices.

The FTC had accused LabMD of violating Section 5 of the Federal Trade Commission Act by failing to protect sensitive information of consumers. The FTC maintained that data security practices at LabMD were “unreasonable and constituted an unfair act or practice”.

In a 3-0 vote, the ALJ’s decision was overturned. The ALJ had previously dismissed the case as the FTC had failed to establish that consumers had come to harm as a result of the security failures. The FTC concluded that the ALJ had applied the wrong legal standard for unfairness.

LabMD had been supplied with a substantial amount of consumer data which was stored for a number of years. The types of data supplied to the company included sensitive medical and personal information of healthcare patients. In total, the data of more than 750,000 patients were collected over a period of fourteen years between 2001 and 2014. However, those data were inadequately protected and even basic security measures were not employed to secure the records, detect intrusions, or monitor file integrity, according to the FTC. Staff were not trained on privacy and security matters and LabMD did not delete any patient data that had been collected.

The FTC said “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.

The case was filed against LabMD in 2013 following a tip off about a data breach that exposed the data of 9,300 customers in 2008. A second breach occurred in 2012 that resulted in an individual gaining access to, and stealing, customers’ data in order to commit identity theft.

The 9,300-record breach involved customers’ data being made available via a peer-2-peer file sharing website for a period of 11 months. The website attracted millions of visitors, all of whom could potentially have obtained copies of the data. The FTC claimed the lack of privacy and security failures caused the breach.

The privacy and security failures were discovered by intelligence firm Tiversa, which notified LabMD of the exposure of its data via the P2P file sharing website. Tiversa offered its services to remove the data and mitigate risk, although when LabMD failed to employ Tiversa for this purpose, the matter was reported to the FTC.

LabMD decided to fight the case filed by the FTC but was forced out of business due to the costs of legal action. LabMD had been in business for 18 years prior to the FTC case, but permanently closed its doors in 2014.

LabMD has 60 days to appeal the decision and file a petition for review with a U.S. Court of Appeals. LabMD CEO Michael Daugherty intends to appeal the decision in federal court.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.