FTC Complaint Alleges Disclosure of Medical and Other Sensitive Information over Peer-to-Peer Network and Alleges Identity Thieves may have Obtained Sensitive Information
In August 2013, the Federal Trade Commission filed a petition in federal court to investigate Atlanta based medical testing laboratory LabMD, Inc. on suspicion that the company failed to reasonably protect the security of consumers’ personal data, including medical information. The FTC claims that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. As a result of those two incidents, the FTC now wants to investigate the unauthorized disclosure of sensitive consumer data – including health information; the disclosure of billing information of over 9,000 consumers was found on LimeWire, a peer-to-peer (P2P) file-sharing network, and how LabMD documents containing the sensitive personal information of at least 500 consumers were found in the hands of identity thieves in California.
The FTC investigation specifically focuses on the suspicion that LabMD:
• did not implement or maintain a comprehensive data security program to protect this information;• did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
• did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
• did not adequately train employees on basic security practices; and
• did not use readily available measures to prevent and detect unauthorized access to personal information.
The complaint also includes a proposed order against LabMD that would prevent future violations of law by requiring the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers’ health insurance companies.
Though the FTC has made clear that it is not yet alleging any wrongdoing by LabMD, the administrative complaint is a warning to companies that the FTC will not shy away from filing complaints in order to further its investigation into a company’s practices. The FTC has stated that LabMD has been uncooperative with the FTC’s investigation, prompting the administrative complaint. The complaint underscores that the FTC is stepping up its enforcement activity and that failure to cooperate with FTC investigations may prompt official complaints and generate public attention. In a rare move by businesses, however, LabMD is following the lead of Wyndham Hotels, who last year became the first company to challenge in court the FTC’s legal authority to legislate data security standards for U.S. businesses via its existing authority. Similarly, LabMD is alleging both that it is being unfairly persecuted by the FTC and that the FTC has no has no jurisdiction or legal authority to bring a data breach complaint.