FTC files complaint against LabMD after investigating its security practices

Share this article:
After a legal back-and-forth to investigate a major breach, the Federal Trade Commission (FTC) has filed a complaint against an Atlanta-based medical testing lab accused of exposing the data of more than 9,000 consumers.

In the complaint filed on Thursday in a Washington, D.C. federal administrative court, the FTC alleged that LabMD left victims' medical and personal information vulnerable to theft in two incidents.

In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information was allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks. Then, in 2012, police in Sacramento, Calif., found LabMD documents – which also contained names, Social Security numbers and, in some cases, bank account information – “in possession of identity thieves,” a Thursday release from the FTC claimed.

The FTC did not confirm how the documents ended up in the possession of individuals outside of the company.

In a Friday interview, Jay Mayfield, an FTC spokesman, told SCMagazine.com that the details of the 2012 incident could not be divulged by the commission.

The complaint filed against LabMD has not been made public, as the commission must go through the courts to release the document, he explained.

“LabMD has said the information is proprietary [and, therefore,] confidential,” Mayfield said.

The move is consistent with other steps LabMD has taken in defense of its innocence in the alleged breach.

In June 2012, the FTC ruled against LabMD's petition to quash a Civil Investigative Demand (CID), which is used by the commission to require a company to turn over information relevant to an investigation, similar to a subpoena. Despite continued allegations, LabMD maintains that the FTC's claims are untrue.

LabMD President Michael Daugherty told SCMagazine.com last month that the FTC is without proof of its claims and that it has no case.

On Thursday, PHIPrivacy.net published a statement from LabMD, where it responded to the complaint by saying it “looks forward to vigorously fighting against the FTC's overreach by seeking recourse through the available legal processes.”

The company also said that the complaint was “another example of the FTC's pattern of abusing its authority to engage in an ongoing witch hunt against private businesses.”

SCMagazine.com reached out to LabMD, but did not immediately hear back from the company.

In its complaint, the FTC proposed an order against LabMD that would require it to provide notice to impacted consumers and their health insurance companies. In addition, the order would require the medical testing lab to implement a “comprehensive information security program,” which would be evaluated every two years by an outside security professional for the next two decades.

Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."