Breach, Data Security

FTC files complaint against LabMD after investigating its security practices

After a legal back-and-forth to investigate a major breach, the Federal Trade Commission (FTC) has filed a complaint against an Atlanta-based medical testing lab accused of exposing the data of more than 9,000 consumers.

In the complaint filed on Thursday in a Washington, D.C. federal administrative court, the FTC alleged that LabMD left victims' medical and personal information vulnerable to theft in two incidents.

In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information was allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks. Then, in 2012, police in Sacramento, Calif., found LabMD documents – which also contained names, Social Security numbers and, in some cases, bank account information – “in possession of identity thieves,” a Thursday release from the FTC claimed.

The FTC did not confirm how the documents ended up in the possession of individuals outside of the company.

In a Friday interview, Jay Mayfield, an FTC spokesman, told SCMagazine.com that the details of the 2012 incident could not be divulged by the commission.

The complaint filed against LabMD has not been made public, as the commission must go through the courts to release the document, he explained.

“LabMD has said the information is proprietary [and, therefore,] confidential,” Mayfield said.

The move is consistent with other steps LabMD has taken in defense of its innocence in the alleged breach.

In June 2012, the FTC ruled against LabMD's petition to quash a Civil Investigative Demand (CID), which is used by the commission to require a company to turn over information relevant to an investigation, similar to a subpoena. Despite continued allegations, LabMD maintains that the FTC's claims are untrue.

LabMD President Michael Daugherty told SCMagazine.com last month that the FTC is without proof of its claims and that it has no case.

On Thursday, PHIPrivacy.net published a statement from LabMD, where it responded to the complaint by saying it “looks forward to vigorously fighting against the FTC's overreach by seeking recourse through the available legal processes.”

The company also said that the complaint was “another example of the FTC's pattern of abusing its authority to engage in an ongoing witch hunt against private businesses.”

SCMagazine.com reached out to LabMD, but did not immediately hear back from the company.

In its complaint, the FTC proposed an order against LabMD that would require it to provide notice to impacted consumers and their health insurance companies. In addition, the order would require the medical testing lab to implement a “comprehensive information security program,” which would be evaluated every two years by an outside security professional for the next two decades.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.